What makes an email service HIPAA compliant is its safeguards and capabilities to ensure the confidentiality, integrity, and availability of Protected Health Information created, received, maintained, or transmitted by email. It is also necessary for the vendor of the email service to enter into a Business Associate Agreement.
If an organization qualifies as a HIPAA covered entity or business associate, and it subcontracts a third party vendor to provide an email service on its behalf, it is necessary for the third party’s email service to be HIPAA compliant if it is going to be used to create, receive, maintain, or transmit electronic Protected Health Information (PHI).
In order for the email service to be HIPAA compliant, the vendor must comply with all applicable Safeguards of the HIPAA Security Rule and any provisions of the HIPAA Privacy and Breach Notification Rules that apply to the service being provided. For example, it may be necessary to provide HIPAA privacy training to its customer support team as well as HIPAA security training.
In addition, the service must have default capabilities – or capabilities that can be configured by the subscribing organization – to support HIPAA compliance. These capabilities include access controls, audit logs, automatic log-off, and encryption for both emails at rest and in transit. If an email archiving service is provided with the email service, this must also be HIPAA compliant.
Making an Email Service HIPAA Compliant
In many cases, email services are not HIPAA compliant “off the shelf”. Once an organization has subscribed to a third party’s service, it will be necessary to agree to the vendor’s Business Associate Agreement (if an Agreement is not executed automatically when subscribing to the service) and make changes to the default settings to make the email service HIPAA compliant.
Typically, most email services require subscribers to configure logs, reports, and notifications, apply separate user permissions for workforce members with access to Protected Health Information (PHI), and create data loss protection policies – particularly when the email service integrates with other covered services (i.e., Google Drive, OneDrive, etc.).
Most third party vendors provide implementation guides to help organizations make an email service HIPAA compliant, but it is important to be aware that changes have been proposed to the HIPAA Security Rule that will invalidate most implementation guides. A summary of the proposed changes can be found on this Department of Health and Human Services factsheet.
Using an Email Service in Compliance with HIPAA
Subscribing to an email service and making the email service HIPAA compliant does not guarantee an organization’s email communications will be HIPAA compliant. Indeed, most avoidable email-based data breaches have nothing to do with the capabilities of an email service or how it is configured, but rather with how the email service is used.
For example, an analysis of HHS’ Data Breach Archive suggests that approximately 8% of all data breaches notified to HHS’ Office for Civil Rights are attributable to emails being sent to the wrong recipients. To put this figure into context, in 2022 HHS’ Office for Civil Rights received 64,592 notifications of data breaches (including those affecting fewer than 500 individuals).
Therefore, it is important for workforce members to receive HIPAA training on how to use an email service in compliance with HIPAA, and also to be informed about the real consequences of data breaches in terms of operational disruptions, medical identity theft, and the impact on the timeliness and quality of care while recovering from a data breach.
HIPAA-regulated entities who require further advice on what makes an email service HIPAA compliant or the proposed changes to the HIPAA Security Rule are advised to speak with an independent compliance professional. Those who require advice about making an existing email service HIPAA compliant should speak with the vendor of the email service.