How to Email PHI and Stay HIPAA Compliant

Handling PHI is tricky but especially when it is emailed. With breaches of sensitive content in email occurring daily, sending an email that cannot be hacked and is compliant with HIPAA and other regulations can be difficult to navigate.

Can you send PHI via email? Yes, you can send PHI via email, but you need to verify that your email provider meets specific security protocols before actually sending the PHI. If certain HIPAA regulations aren’t met, then you could be looking at a hefty fine.

What Is HIPAA and Protected Health Information (PHI)?

The Health Insurance Portability and Accountability Act (HIPAA) is a set of laws and regulations around creating and protecting protected health information (PHI). These laws specifically discuss how certain healthcare providers and their business partners are under law expected to secure patient data related to healthcare, healthcare treatments, and payments.

While the law contains several sections covering a variety of rules and requirements, sending email with PHI largely falls under the following three, which focus on cybersecurity and data protection:

1. The Data Privacy Rule: The Privacy Rule (data privacy) states unequivocally that patient data must remain private and that primary healthcare organizations (hospitals, doctors’ offices, and insurance companies, which are designated as Covered Entities) and their vendors (which are designated as Business Associates) have a legal responsibility in protecting that data.
2. The Security Rule: Covered Entities and Business Associates must implement appropriate security measures to protect patient data, including technical, administrative, and physical controls.
3. The Breach Notification Rule: Upon the event of a system breach, Covered Entities and Business Associates have requirements as to when and how they notify affected patients, regulatory bodies, and the public more broadly.

The Privacy Rule, in particular, is critical for the understanding of HIPAA. It defines PHI in legal terms as any information related to the provision of healthcare services to a patient, including health-related information, doctors’ notes, personally identifiable information (PII) for the patient, or payment information tendered toward their care.

Because PHI is such a fundamental part of HIPAA compliance, most security requirements revolve around how PHI is transmitted, stored, and used. Additionally, because restrictions against the unauthorized disclosure of PHI are strict, healthcare providers must organize any and all technologies used to communicate with patients around HIPAA requirements.

These requirements around technological use can significantly impact how your organization actually shares information with patients. Unsecured technologies like email are problematic at best and noncompliant at worst.

Why and How Can You Use Email With PHI?

There is no direct prohibition against using email under HIPAA. However, the actual implementation of a HIPAA-compliant email solution for communicating healthcare information is challenging. While email is incredibly common, and most likely the most accessible and convenient manner to communicate with patients, it is also risky because there is no way to guarantee protection of patient information on email servers or devices.

Take encryption for example. An email solution that uses proper file-sharing encryption standards is technically compliant. However, to use email encryption with traditional approaches, you must have buy-in from the sender and the recipient. Both sides must use the same encryption standard, and in cases with public key encryption, each side must have a set of keys they manage through software. To solve the problem, organizations must install and manage a plugin on the email client and manually request or share a public key with third parties. This creates inefficiencies and bottlenecks and can result in users circumventing security protocols when sending sensitive PHI—within and outside of their organizations.

Likewise, organizations must store data in a secure place even when not sending it. Any email solution must include HIPAA-compliant encryption on its servers. Thus, unless an organization fields its own email server (which is highly unlikely), then it must work with a Business Associate to implement encryption for data at rest and in transit.

Finally, another crucial part of HIPAA compliance involves event reports and audit logs. To demonstrate HIPAA compliance, organizations must implement proper logging for audits and potential forensic needs on all systems, which is also true for Business Associates. This calls for another level of compliance and a vendor risk management strategy with Business Associates.

By and large, it would help if you considered the following cases before considering email PHI and HIPAA email compliance:

• Internal emails: Doctors and other employees will inevitably share medical information. In scenarios where doctors send information to other doctors via email, that email must remain encrypted and secured on whatever device they access the email. Fortunately, this is much easier to manage. Because your organization has control over doctor devices and internal systems, you can implement policies that protect PHI and maintain compliance. 
• External emails: Emails to patients and third parties are a different issue because your organization cannot dictate standards for the thousands of patients with which you may interface. Any attempt to send PHI over email will almost always be noncompliant due to lack of proper encryption or lack of security at the user’s end. Or, in a best-case scenario, it will involve cumbersome plugins and redirects for secure file sharing.

One of the emerging solutions that many organizations are turning to is secure links and patient portals. Using a patient portal lets you control security, like encryption, identity and access management (IAM), and audit logging, from a central server or cloud environment. Sending secure links to PHI to users via email avoids the pitfalls of sending PHI directly over email while funneling users into secure environments.

Secure links and online portals are considered the most reliable and secure forms of communicating healthcare information with patients outside of your organization. Additionally, a portal tied to a robust document and file transfer management system can also streamline compliant communication between doctors and other employees. These systems can integrate with secured devices and workstations so that medical professionals can share information securely and privately without potential exposure to theft or disclosure.

Otherwise, the only other way to send PHI over email is through encrypted messages, using technology like Public Key Encryption [Pretty Good Privacy (PGP)]. This requires that both you and your patients use PGP email technology. While you could most likely force implementation of encryption internally to your organization, it is practically impossible to do so with a population of patients.

What Are the Penalties for Violating HIPAA?

The topic of email PII is important because violations of HIPAA regulations can carry steep penalties regardless of intent. Penalties for HIPAA violations fall in four tiers:

• Tier 1: These violations are unintended, and the organization is unaware of the issue behind the violation and could not reasonably prevent it. If this is the case, and the organization otherwise attempted to follow HIPAA rules, then penalties range between $100 and $50,000 per violation.
• Tier 2: These violations occur when the organization should have been aware of the violation but could not have reasonably prevented it (viz., the organization is negligent but not willfully so). Penalties here range from $1,000 to $50,000 per violation.
• Tier 3: These violations are due to willful neglect of HIPAA regulations, but penalties are tempered by the organization’s attempts to remediate the issue. Penalties here range from $10,000 to $50,000 per violation.
• Tier 4: These are willful violations where no attempt was made to correct the issue. With tier 4 violations, organizations will face minimum penalties of $50,000 per incident.

Furthermore, individuals can face criminal charges for certain acts of data theft, which are divided into three tiers:

• Tier 1: A violation occurs when the individual has no knowledge of the violation or there is no reasonable cause. This can come about due to accidental disclosure of data or in cases of emergencies where doctors share PHI to help save a patient. Penalties include up to a year in jail.
• Tier 2: Tier 2 violations are when users obtain PHI under false pretenses. This can earn the violating party up to five years in jail.
• Tier 3: Tier 3 violations include any attempt to obtain PHI for profit or malicious intent (such as blackmail or revenge), and this tier can earn the violator up to 10 years in jail.

It is important to understand these definitions because improper use of email to share PHI can open an organization up to multiple violations that cost tens of thousands, hundreds of thousands, or even millions of dollars.

Manage PHI and Patient Privacy With Kiteworks

Securing communications between doctors, staff, and patients means leveraging usable technologies for all parties without violating HIPAA. Email, for all its limitations, is the easiest way to stay in contact with most patients and communicate with third parties. Kiteworks makes sending encrypted, HIPAA-compliant messages and attachments easy from wherever users work, on the web or via mobile devices, in Microsoft 365 or other email systems, or in enterprise applications. You no longer need to manually manage your governance policies and keys and spend valuable time and resources managing plugins. Rather, Kiteworks automatically applies governance policies, secures the content, and tracks every action in every send, share, and transfer of sensitive content.

With the Kiteworks platform, organizations can store PHI in HIPAA-compliant servers and use encryption so that only authenticated users can read emails, open attachments, and forward emails to unauthorized parties–internally and externally. Some of the key capabilities include:

• Secure email communications in transit and at rest: Kiteworks utilizes AES-256 encryption for data at rest and TLS 1.2+ for data in transit. Kiteworks’ hardened virtual appliance, granular controls, authentication and other security stack integrations, and comprehensive logging and auditing enable organizations to achieve compliance efficiently. Emails and attachments are scanned by antivirus, advanced threat protection (ATP), and continuous data protection (CDP). Outbound email communications employ data loss prevention (DLP) to prevent intentional and unintentional data leakage.
• Secure access and data ownership: With on-premises, Logging-as-a-Service (LaaS) resources, and Infrastructure-as-a-Service (IaaS) deployments, only you have access to system, storage, and keys–external third parties (including Kiteworks), such as government and industry regulatory bodies, do not have access. As a result, email sends and receives, file storage, and access occur on a dedicated Kiteworks instance, deployed on your premises, on your Logging-as-a-Service (LaaS) resources, or hosted in the cloud by the Kiteworks Cloud server. That means no shared runtime, databases or repositories, resources, or potential for cross-cloud breaches or attacks.
• Email protection gateway and automated encryption: Kiteworks email protection gateway and automated encryption can be used with any email client and email server (no plugins required). Key management and email encryption is automated and invisible to users. Organizations also can automatically apply policies for which emails to encrypt while automatically providing end-to-end encryption to protect sensitive content on cloud email servers.
• Compliance and policy controls: Role-based, granular controls within Kiteworks enables organizations to minimize exposure while providing full email HIPAA compliance tracking and audit reporting. This includes the ability to control patient and third-party authentication options, expiration, and link forwarding. Kiteworks secure email capabilities include policies for return receipts and digital fingerprinting.
• SIEM integration: Keep your environment secure with integrated security information and event management (SIEM) for alerts, logging, and event response. Integrations include IBM QRadar, ArcSight, FireEye Helix, LogRhythm, and others. It also helps the Splunk Forwarder and consists of the Splunk App.
• Audit logging: With the Kiteworks platform’s immutable audit logs, organizations can detect attacks sooner and maintain the correct chain of evidence to perform HIPAA-compliant forensics. Since Kiteworks merges and standardizes entries from all the components, its unified syslog and alerts save your security operations center (SOC) team crucial time and help your compliance team prepare for HIPAA-related and other regulatory audits.
• Data visibility and management: Kiteworks CISO Dashboard gives organizations an overview of your data: where it is, who is accessing it, how it is being used, and if it complies. Help your business leaders make informed decisions and your compliance leadership maintain regulatory requirements.

If you would like to see how Kiteworks secure email capability is HIPAA-compliant and how the Kiteworks platform delivers a single pane of glass for sensitive content communications, schedule a custom demo today.

Additional Resources

• Brief How You Can Expand Visibility and Automate Protection of All Sensitive Email
• Case Study Learn How NYC Health + Hospitals Shares PHI Securely and Efficiently
• Blog Post What Is HIPAA Compliance?
• Blog Post What Is a HIPAA-Compliant Form?
• Blog Post Are Emails Considered PII?
• Blog Post What Are HIPAA Encryption Requirements?
• Blog Post How to Send HIPAA-Compliant Email