What Makes Emails HIPAA Compliant?

by

Generally, what makes emails HIPAA compliant is that the purpose for sending them is permitted by the HIPAA Privacy Rule and that the service used to send them supports compliance with the HIPAA Security Rule. However, there are circumstances in which emails containing PHI can be sent via non-compliant email services.

A sometimes overlooked aspect of HIPAA compliance is that no matter how “HIPAA compliant” a technology is, how the technology can be used is always governed by the HIPAA Privacy Rule. For this reason, the first requirement for HIPAA compliant emails is that the purpose for sending them is permitted by the HIPAA Privacy Rule when they contain Protected Health Information (PHI).

Purposes permitted by the HIPAA Privacy Rule include disclosures to the subject of the PHI and HHS’ Office for Civil Rights, internal and external disclosures for treatment, payment, and health care operations, and external disclosures for which an authorization or opportunity to agree or object is not required (§164.512) – some of which may be required by state law (i.e., reporting gunshot injuries).

Most other disclosures – by email or any other means – require the consent of the subject of the PHI or their authorization. Some disclosures may also require an attestation that PHI disclosed in an email will not be further disclosed. In these cases, what makes email HIPAA compliant is ensuring that documentation supporting a disclosure is valid and retained for a minimum of six years.

The HIPAA Security Rule’s General Requirements

Another sometimes overlooked aspect of HIPAA compliance is the General Requirements of the HIPAA Security Rule (§164.306(a)). These state that HIPAA covered entities and business associates must:  

  • Ensure the confidentiality, integrity, and availability of all electronic PHI created, received, maintained, or transmitted.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted by the HIPAA Privacy Rule.

The requirements apply to all applicable Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule. Therefore, for example, HIPAA security awareness training has to be provided in the context of the HIPAA Privacy Rule rather than be generic.

This is relevant to what makes emails HIPAA compliant because members of the workforce must be alerted to reasonably anticipated threats of mis-addressing an email and the hazards of using unsanctioned apps and services “to get the job done” (in this case, unsanctioned email services).

Email Services and HIPAA Compliance

With regards to the email services themselves, if a HIPAA covered entity or business associate hosts their own email service, they are responsible for ensuring the service supports HIPAA compliance. If they subscribe to a third party’s email service, the responsibility for HIPAA compliance is shared.

In most cases, this means the service provider must protect its mail servers from unauthorized access, must backup email data, and have emergency access procedures in place. The email service must support unique user IDs, have audit controls, and automatic log-off capabilities – although these should be configured by the HIPAA covered entity or business associate.

Encryption is standard in most email services, but will become a required implementation specification when the current Notice of Proposed Rulemaking is finalized. It is also necessary for the HIPAA covered entity or business associate to enter into a Business Associate Agreement with the email service provider, even if the email service provider has “no-view access” to PHI contained within emails.

Security Exceptions to What Makes Emails HIPAA Compliant

It was mentioned in the introduction that there are circumstances in which emails containing PHI can be sent via non-compliant email services. These security exceptions to what makes emails HIPAA compliant include when a patient requests their PHI is emailed to another provider or when they request confidential communications or a copy of PHI by email, and the HIPAA covered entity does not operate an email service that supports HIPAA compliance.

In all three circumstances, the patient’s HIPAA rights preempt the HIPAA Security Rule standards. HIPAA covered entities must respond to patients via the requested channel of communication unless the patient is warned of the risks and can be persuaded to use an alternative channel of communication. In such cases, the initial request, the warning, and the patient’s agreement to send PHI via an alternative channel must be documented.

HIPAA covered entities and business associates with questions about what makes email HIPAA compliant should speak with an independent compliance professional. Members of the workforce who are unsure about what makes emails HIPAA compliant and what to do when an exception applies should speak with their HIPAA Privacy Officer before agreeing to an exception and sending PHI via an unsanctioned email service.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]