Send HIPAA Compliant Email

Send HIPAA Compliant Email

How do you send HIPAA-compliant emails? Assuming all emails are compliant can be costly; read on to learn about what compliant emails are and how to send them.

Is Gmail HIPAA compliant?

No, Gmail, alone, is not a HIPAA-compliant email. To be compliant, an organization needs to sign a Business Associate Agreement with Google. This agreement confirms security measures are in place to protect data stored on Google servers.

When working with third-party email providers like Google or Microsoft 365, you need to use an enterprise-level product specifically designed for compliance. Additionally, these organizations should have standing Business Associate Agreements (BAAs) that they enter into with healthcare providers as part of their offerings. Companies like Google or Microsoft already have these and will require such an agreement from any company.

Secure Email

What Is HIPAA-compliant Email?

HIPAA-compliant email is an email service that meets minimal HIPAA requirements for the security and privacy of electronic Personal Health Information (ePHI). HIPAA compliance for emails includes all the requirements that other technologies have regarding this data, including:

  1. Restricting access to ePHI at rest or in transit
  2. Monitoring and protecting ePHI at rest or in transit
  3. Ensuring ePHI integrity and accountability at rest or in transit

Email is a unique technology regarding security because emails are involved, by their very nature, in both storage and transmission. People send emails, and servers and applications store emails.

With that said, there are several parties involved in the management of emails that must consider rules and regulations: senders and receivers, and third-party email vendors.

Responsibilities of Senders and Receivers

Both senders and receivers are working with applications at workstations or mobile devices to write, store, and send emails. All accounts containing sensitive ePHI must abide by HIPAA encryption rules. Furthermore, these accounts must be protected from unauthorized access by passwords (ideally, multi-factor authentication). Accordingly, the management of any data used over email falls on these parties, and they may find themselves liable for violations should they not consider the following practices:

  • For emails sent in-office or doctor-to-doctor within an internal email network and intranet, messages do not need encryption so long as there isn’t remote access and the network itself has necessary security (firewall protection, anti-malware software, etc.).
  • Any message sent outside of the secured network (to a doctor’s personal email, emails between professionals in different organizations, and emails with business associates) must be encrypted by the sender for protection during transit.
  • Emails to patients regarding any ePHI are OK but must include a warning regarding the risk of communication and the opportunity to decide whether or not to continue receiving compliant email communications. Healthcare providers must always provide alternative and secure methods of data sharing for ePHI.

Following these practices, several common HIPAA compliance email features can be confusing under regulations. If you send an encrypted email with ePHI to a covered entity or business associate, then it is their responsibility to protect that data under HIPAA, including during any reply messages. Mass-messaging should be avoided, but if it is used, senders must only send mass mailings through mail merge features in HIPAA-compliant software.

Responsibilities of Third-Party Email Vendors

Working with third-party compliant email vendors is a lot like working with a cloud provider or other managed service: they must, to the extent applicable with the service provided, adhere to regulations under a Business Associate Agreement (BAA) that outlines their responsibilities and culpabilities under regulations.

What this means for them, and you, are that the email provider must provide HIPAA-compliant storage for any emails on their servers. HIPAA requires organizations to retain documents for compliance for at least 6 years.

They are not responsible for what happens outside those servers, however. A third-party vendor doesn’t have any responsibility for whether or not you use proper email security and encryptions through their services, nor are they responsible for safeguards in place outside of their services or their servers.

What this means is that even if you are using a compliant third-party email service (like Gmail) with a BAA, that doesn’t cover any other requirements on your part in terms of transmission or storage.

How Can I Make My Current Email Provider Compliant?

Making HIPAA compliant email involves aligning all technologies, from servers to clients to practices, to regulations under the Privacy and Security Rules.

As a summary, these two rules outline the following:

  • The Privacy Rule outlines the nature of ePHI and requirements around its protection, management, and privacy. It states that all PHI is private unless otherwise stated by the patient, and all Covered Entities and Business Associates must maintain the privacy.
  • The Security Rule defines the security controls, technologies, and responsibilities of Covered Entities and Business Associates in maintaining the privacy of PHI.

That being said, not all email providers are compliant, and using a non-compliant provider places the Covered Entity in non-compliance as well.

Depending on the email you use, there are several steps to ensuring that you use HIPAA-compliant email.

Internal Email Services

If you have an internal intranet with on-premises or internal cloud email, then it’s your organization’s responsibility to protect that email at the server level and through all applications used.

This includes taking the following actions:

  1. Use software with end-to-end encryption. This will encrypt data during transit and when it is sitting on a server to prevent a HIPAA breach. In terms of encryption, use standards that meet requirements to their highest ability, namely encryption standards like AES-256 and TLS-1.1 or higher.
  2. Use software with additional encryption like S/MIME. MIME data allows emails to support extended character sets and header information for more robust emails that can include media and HTML. Securing MIME ensures that if you are using advanced formatting that the data contained therein is protected as well.
  3. Have messaging and data sharing separate from email services. While you should still always protect your email, always provide a secure messaging and patient portal for patients to access critical medical data and communications from their practitioners. This can alleviate the risk of HIPAA violations in your email, even if you connect notifications to patient messages (so long as they do not contain ePHI).
  4. Have automated data backup and retention. Guidelines do not outright state any specific requirements for data retention, but patients can demand information at any time and healthcare organizations may need immutable audit trails if there are legal actions about their compliance. Additionally, regulations clearly require that organizations maintain records regarding their security compliance for at least 6 years.

Working with Third-Party Vendors

An on-premises or dedicated service might be something that smaller practices don’t have the resources for. They cost money, skills and time for support, maintenance, and upgrades that many organizations just don’t have or want. In this case, many healthcare institutions turn to third-party vendors to provide email and/or corresponding cloud services.

To ensure that your third-party provider (and by extension, you) are compliant, then consider the following:

  1. Make sure you have a BAA in place. The BAA is an agreement between your organization and a third-party who will handle, transmit, or store ePHI. This agreement not only protects your organization if this third party doesn’t remain compliant, but it clearly defines the responsibilities of that organization.

  2. Make sure that their services meet minimum HIPAA security requirements. Some companies will advertise themselves as “HIPAA eligible” or “HIPAA capable”. These terms can be confusing to non-technical people. In short, these terms simply mean that the company provides the tools and features that can support compliance. It doesn’t mean that they necessarily do out of the box.

    If your provider is HIPAA eligible, then make sure you know exactly what it takes to be HIPAA compliant with them. It may be the case that getting to compliance with them just isn’t worth it.

No matter if you use internal or third-party email, it’s necessary for HIPAA compliance that you properly train your staff to use the technology properly. This means education and continued training on HIPAA for the sharing and transmission of data.

For a Complete HIPAA-compliant Solution, Choose Kitworks

Kiteworks offers HIPAA-compliant encryption, backups, and security for its email products. More importantly, however, it supports a seamless and secure experience that encompasses file sharing, secure messaging, secure storage, firewall, and other protections that are all also compliant. This means one platform, one solution, and one interface for all your needs.

Schedule a custom demo to learn more about how Kiteworks delivers HIPAA-compliant email.

Download Report: Benchmark Your Security and Compliance Risk

Share
Tweet
Share