Email is a critical part of daily life and modern business: but is it HIPAA compliant?
There’s no denying that, in a healthcare setting, email is convenient. It saves time and eases communication between internal staff, referring providers, and business associates.
But it can also be challenging to ensure the security of Protected Health Information (PHI) through electronic communications. So, is email HIPAA compliant?
When it comes to protecting patient information and preventing investigations into your organization, the key is first understanding what HIPAA says about email, and then working to make the best decision for your organization.
What Does HIPAA Say About Email?
Covered entities will want to ensure that any transmission of electronic protected health information (ePHI) is in compliance with HIPAA. So, what does HIPAA say about email?
Technically, HIPAA doesn’t say anything about email, but it does state that all electronic communication of PHI must be encrypted in transit—meaning, it must be secure on the way from one party to another.1
All transmissions of ePHI, whether email or otherwise, should also be taken into account when your organization conducts a risk analysis. In the risk analysis process, consider:
- WHAT ePHI is being transmitted?
- HOW is the ePHI being transmitted?
- WHICH devices are permitted to send ePHI?
- IF the organization has a Bring Your Own Device (BYOD) policy, those devices should be considered in the risk analysis.
The impact on the organization in the event of a breach must also be calculated. Events such as theft, loss, improper disposal of the device, lack of availability to ePHI by other users of the device, as well as the likelihood of the ePHI being intercepted by an unauthorized individual, must all be considered in the risk analysis.
Insecure Email Communications
While HIPAA is clear that email messages containing PHI should be encrypted in transit, there is an exception available that covered entities can consider: mutual consent.
Mutual consent is when the HIPAA covered entity or business associate enters into an agreement with the patient whose data is being transmitted. Insecure email may be allowed if:
- The patient is clearly informed of the security risks of insecure email communications, and a secure option is recommended,
- The individual indicates in writing that it is OK to send them ePHI via insecure email, and
- The Covered Entity keeps explicit records of all of these mutual consent cases, including the content of the risk warnings and the written approval from the individual.
Keep in mind that patients must be educated about the potential risks of insecure email communications. Including a form in your standard paperwork, which patients may sign without understanding the implications, can open you up to liability if the patient is not properly educated.
Additionally, keep in mind that internal communications—emails between doctors, nurses, and care providers—are not covered under this consent. And, CMS does not allow orders to be communicated via email.
Mutual consent is a legal grey area, so you should seek the advice of an attorney well versed in HIPAA before sending any insecure transmissions.
Secure Email Communications
Due to the legal grey area, the necessity for patient education, and the hurdles for internal communication, secure email communication platforms are the best way to ensure HIPAA compliant email.
The proper way to communicate any patient information is through a secure platform—or by picking up the phone and calling.
When selecting a secure communications platform, check with your IT provider to determine if they are able to create an encrypted email solution for you, or use a commercially available one like Mediprocity or MD OfficeMail.
Keep in mind that you will need a Business Associate Agreement (BAA) in place with the provider if you’re going to use the platform to send PHI, so the company’s willingness to sign a BAA should be factored into your selection process.
And, remember, while secure platforms can be used for internal communications, they still cannot be used to communicate orders, per CMS.
Staff Training and Education
The final factor to consider when it comes to HIPAA compliant email is staff training and education.
In the era of work from home and BYOD policies, it is especially important to have clear training outlining acceptable communications standards for PHI.
All staff should be educated to understand the importance of never sending PHI through email unless the email is encrypted, as well as the exception due to mutual consent if you choose to utilize it. Providers should also receive training to prevent insecure internal communications containing PHI.
Of course, it is foundational to train employees on the 18 PHI identifiers, so they don’t mistakenly send PHI via email—for instance, sending patient initials thinking they don’t qualify as PHI, when in fact they do.
Emails and HIPAA Compliance
The ease of digital communications has changed the way we thinking about communicating every day—but when it comes to HIPAA compliance, email is a potential risk that must be carefully considered.
With the appropriate HIPAA compliance provisions in place, you can take advantage of email for both patient and internal communications, but it is critical to understand the compliance risks involved.
Want to learn more about HIPAAtrek?
HIPAAtrek is an all-in-one HIPAA compliance software that can help you manage the BAAs, trainings, policies and consent paperwork you may need to implement a HIPAA compliant email program.
Please seek legal advice if you’d like to send emails while complying with HIPAA, keeping in mind that policies governing email for medical facilities and emails containing PHI may vary from state to state.
1 §164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.
§164.312(e)(1) Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
§164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.