Send HIPAA-compliant Email
How do you send HIPAA-compliant emails? Assuming all emails are compliant can be costly; read on to learn about what compliant emails are and how to send them.
What Is HIPAA-compliant Email?
HIPAA-compliant email is an email service that meets minimal HIPAA requirements for the security and privacy of electronic Personal Health Information (ePHI). HIPAA compliance for emails includes all the requirements that other technologies have regarding this data, including:
- Restricting access to ePHI at rest or in transit
- Monitoring and protecting ePHI at rest or in transit
- Ensuring ePHI integrity and accountability at rest or in transit
Email is a unique technology regarding security because emails are involved, by their very nature, in both storage and transmission. People send emails, and servers and applications store emails.
With that said, there are several parties involved in the management of emails that must consider rules and regulations: senders and receivers, and third-party email vendors.
Healthcare Data Breaches and Email Security
Email that isn’t secure can lead to data breaches and a HIPAA violation because emails and the protected health information (PHI) they contain can be easily intercepted by unauthorized individuals. Because of this, any private and confidential information sent through unsecured emails can be accessed without the sender’s consent. This could lead to HIPAA violations, as the data could be used for malicious intent and unlawful purpose. For example, PHI sent through unsecure email could be used to commit identity theft or medical fraud.
The consequences of a HIPAA violation can be severe and can include civil and criminal penalties. HIPAA-covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, can be fined up to $50,000 per violation, with a maximum penalty of $1.5 million per year. Individuals who violate HIPAA regulations can be fined up to $50,000 and may face up to one year of imprisonment. Additionally, individuals who violate HIPAA can be subject to civil lawsuits, which can result in hefty financial settlements.
For patients who have had their privacy compromised, the consequences may include identity theft, medical fraud, financial theft, and embarrassment. It can also cause emotional distress and feelings of violation, as the information being exposed was meant to remain private. Depending upon the severity of the breach, the patient may also be financially liable for any costs incurred as a result of the breach.
What Does HIPAA Say About Email?
The Department of Health and Human Services’ (HHS) definition of “secure email” is any form of electronic message exchange that uses encryption and other security measures to protect the confidentiality, integrity, and availability of the message. Secure email encryption is a process that scrambles a message’s content so that it is unreadable to anyone except the intended recipient. It also uses authentication processes to confirm the identity of the sender and receiver. This helps to ensure that the message can only be viewed by the intended recipient and that it cannot be altered in any way.
HHS recommends that healthcare organizations and business entities use secure email to ensure the security of sensitive information transmitted over the internet. Healthcare organizations and business entities should use robust encryption and authentication for secure email communication and it should be integrated into the organization’s overall security posture. HHS also recommends performing regular security assessments and audits, as well as encrypting all data at rest, in transit, and in use. Additionally, they recommend using appropriate security measures to protect against malware and other threats, such as firewalls, antivirus software, and patch management. Finally, organizations should develop and implement policies and procedures to govern the use of secure email.
HIPAA Email Encryption Requirements
Email encryption is an important part of HIPAA compliance since it helps to protect confidential patient information. Many organizations that handle PHI must encrypt emails that contain PHI as part of their HIPAA compliance strategy.
To be HIPAA compliant, organizations and business entities must adopt the following encryption requirements:
- Secure transmission protocols must be used, such as TLS and IPsec.
- The encryption method used must be secure and must use a key that is unique to the recipient.
- The encryption algorithm must meet HIPAA standards.
- All email content, including attachments, must be encrypted.
- Any email sent outside the organization must be encrypted.
- Organizations must have procedures in place to ensure all emails sent or received are encrypted.
- Organizations must have processes in place to protect the encryption keys used to encrypt emails.
Responsibilities of Senders and Receivers
Both senders and receivers are working with applications at workstations or mobile devices to write, store, and send emails. All accounts containing sensitive ePHI must abide by HIPAA encryption rules. Furthermore, these accounts must be protected from unauthorized access by passwords (ideally, multi-factor authentication). Accordingly, the management of any data used over email falls on these parties, and they may find themselves liable for violations should they not consider the following practices:
- For emails sent in-office or doctor-to-doctor within an internal email network and intranet, messages do not need encryption so long as there isn’t remote access and the network itself has necessary security (firewall protection, anti-malware software, etc.).
- Any message sent outside of the secured network (to a doctor’s personal email, emails between professionals in different organizations, and emails with business associates) must be encrypted by the sender for protection during transit.
- Emails to patients regarding any ePHI are OK but must include a warning regarding the risk of communication and the opportunity to decide whether or not to continue receiving compliant email communications. Healthcare providers must always provide alternative and secure methods of data sharing for ePHI.
Following these practices, several common HIPAA compliance email features can be confusing under regulations. If you send an encrypted email with ePHI to a covered entity or business associate, then it is their responsibility to protect that data under HIPAA, including during any reply messages. Mass-messaging should be avoided, but if it is used, senders must only send mass mailings through mail merge features in HIPAA-compliant software.
Responsibilities of Third-party Email Vendors
Working with third-party compliant email vendors is a lot like working with a cloud provider or other managed service: they must, to the extent applicable with the service provided, adhere to regulations under a Business Associate Agreement (BAA) that outlines their responsibilities and culpabilities under regulations.
What this means for them, and you, are that the email provider must provide HIPAA-compliant storage for any emails on their servers. HIPAA requires organizations to retain documents for compliance for at least 6 years.
They are not responsible for what happens outside those servers, however. A third-party vendor doesn’t have any responsibility for whether or not you use proper email security and encryptions through their services, nor are they responsible for safeguards in place outside of their services or their servers.
What this means is that even if you are using a compliant third-party email service (like Gmail or Office 365) with a BAA, that doesn’t cover any other requirements on your part in terms of transmission or storage.
Is Gmail HIPAA compliant?
No, Gmail, alone, is not a HIPAA-compliant email. To be compliant, an organization needs to sign a Business Associate Agreement with Google. This agreement confirms security measures are in place to protect data stored on Google servers.
When working with third-party email providers like Google or Microsoft 365, you need to use an enterprise-level product specifically designed for compliance. Additionally, these organizations should have standing Business Associate Agreements (BAAs) that they enter into with healthcare providers as part of their offerings. Companies like Google or Microsoft already have these and will require such an agreement from any company.
Is Office 365 HIPAA Compliant?
No, Office 365 is not HIPAA compliant according to Microsoft. While certain Office 365 products may enable customers to work toward HIPAA compliance, Microsoft does not represent, warrant, or guarantee that Office 365 products or services meet any HIPAA requirements.
Healthcare organizations and business entities who use Office 365 must have appropriate and relevant policies and procedures in place, have documented agreements with all covering organizations and/or users, and must have appropriate security safeguards and safeguards to protect health information in accordance with HIPAA requirements. In addition, they must also implement specific features, such as data encryption, data transfer monitoring, and access control. Lastly, they must verify that their procedures are followed and documented on an ongoing basis.
How Can I Make My Current Email Provider Compliant?
Making HIPAA compliant email involves aligning all technologies, from servers to clients to practices, to regulations under the Privacy and Security Rules.
As a summary, these two rules outline the following:
- The Privacy Rule outlines the nature of ePHI and requirements around its protection, management, and privacy. It states that all PHI is private unless otherwise stated by the patient, and all Covered Entities and Business Associates must maintain the privacy.
- The Security Rule defines the security controls, technologies, and responsibilities of Covered Entities and Business Associates in maintaining the privacy of PHI.
That being said, not all email providers are compliant, and using a non-compliant provider places the Covered Entity in non-compliance as well.
Depending on the email you use, there are several steps to ensuring that you use HIPAA-compliant email.
Internal Email Services
If you have an internal intranet with on-premises or internal cloud email, then it’s your organization’s responsibility to protect that email at the server level and through all applications used.
This includes taking the following actions:
- Use software with end-to-end encryption. This will encrypt data during transit and when it is sitting on a server to prevent a HIPAA breach. In terms of encryption, use standards that meet requirements to their highest ability, namely encryption standards like AES-256 and TLS-1.1 or higher.
- Use software with additional encryption like S/MIME. MIME data allows emails to support extended character sets and header information for more robust emails that can include media and HTML. Securing MIME ensures that if you are using advanced formatting that the data contained therein is protected as well.
- Have messaging and data sharing separate from email services. While you should still always protect your email, always provide a secure messaging and patient portal for patients to access critical medical data and communications from their practitioners. This can alleviate the risk of HIPAA violations in your email, even if you connect notifications to patient messages (so long as they do not contain ePHI).
- Have automated data backup and retention. Guidelines do not outright state any specific requirements for data retention, but patients can demand information at any time and healthcare organizations may need immutable audit trails if there are legal actions about their compliance. Additionally, regulations clearly require that organizations maintain records regarding their security compliance for at least 6 years.
Working With Third-party Vendors
An on-premises or dedicated service might be something that smaller practices don’t have the resources for. They cost money, skills and time for support, maintenance, and upgrades that many organizations just don’t have or want. In this case, many healthcare institutions turn to third-party vendors to provide email and/or corresponding cloud services.
To ensure that your third-party provider (and by extension, you) are compliant, then consider the following:
Make sure you have a BAA in place. The BAA is an agreement between your organization and a third-party who will handle, transmit, or store ePHI. This agreement not only protects your organization if this third party doesn’t remain compliant, but it clearly defines the responsibilities of that organization.
Make sure that their services meet minimum HIPAA security requirements. Some companies will advertise themselves as “HIPAA eligible” or “HIPAA capable”. These terms can be confusing to non-technical people. In short, these terms simply mean that the company provides the tools and features that can support compliance. It doesn’t mean that they necessarily do out of the box.
If your provider is HIPAA eligible, then make sure you know exactly what it takes to be HIPAA compliant with them. It may be the case that getting to compliance with them just isn’t worth it.
No matter if you use internal or third-party email, it’s necessary for HIPAA compliance that you properly train your staff to use the technology properly. This means education and continued training on HIPAA for the sharing and transmission of data.
For a Complete HIPAA-compliant Solution, Choose Kiteworks
Kiteworks offers HIPAA-compliant encryption, backups, and security for its email products. More importantly, however, it supports a seamless and secure experience that encompasses file sharing, secure messaging, secure storage, firewall, and other protections that are all also compliant. This means one platform, one solution, and one interface for all your needs.
Schedule a custom demo to learn more about how Kiteworks delivers HIPAA-compliant email.