Send HIPAA Compliant Email [Guide to Providers & Solutions]
How do you send HIPAA compliant emails? Assuming all emails are compliant can be costly; read on to learn about what compliant emails are and how to send them.
- What is HIPAA Compliant Email?
- How Can I Make My Current Email Provider Compliant?
- Who Are HIPAA-Compliant Email Vendors?
Is Gmail HIPAA compliant?
No, Gmail, alone, is not a HIPAA compliant email. To be compliant, an organization needs to sign a Business Associate Agreement with Google. This agreement confirms security measures are in place to protect data stored on Google servers.
When working with third-party email providers like Google or Microsoft 365, you need to use an enterprise-level product specifically designed for compliance. Additionally, these organizations should have standing Business Associate Agreements (BAAs) that they enter into with healthcare providers as part of their offerings. Companies like Google or Microsoft already have these and will require such an agreement from any company.
What Is HIPAA Compliant Email?
HIPAA compliant email is an email service that meets minimal HIPAA requirements for the security and privacy of electronic Personal Health Information (ePHI). HIPAA compliance for emails includes all the requirements that other technologies have regarding this data, including:
- Restricting access to ePHI at rest or in transit
- Monitoring and protecting ePHI at rest or in transit
- Ensuring ePHI integrity and accountability at rest or in transit
Email is a unique technology regarding security because emails are involved, by their very nature, in both storage and transmission. People send emails, and servers and applications store emails.
With that said, there are several parties involved in the management of emails that must consider rules and regulations: senders and receivers, and third-party email vendors.
Responsibilities of Senders and Receivers
Both senders and receivers are working with applications at workstations or mobile devices to write, store, and send emails. All accounts containing sensitive ePHI must abide by HIPAA encryption rules. Furthermore, these accounts must be protected from unauthorized access by passwords (ideally, multi-factor authentication). Accordingly, the management of any data used over email falls on these parties, and they may find themselves liable for violations should they not consider the following practices:
- For emails sent in-office or doctor-to-doctor within an internal email network and intranet, messages do not need encryption so long as there isn’t remote access and the network itself has necessary security (firewall protection, anti-malware software, etc.).
- Any message sent outside of the secured network (to a doctor’s personal email, emails between professionals in different organizations, and emails with business associates) must be encrypted by the sender for protection during transit.
- Emails to patients regarding any ePHI are OK but must include a warning regarding the risk of communication and the opportunity to decide whether or not to continue receiving compliant email communications. Healthcare providers must always provide alternative and secure methods of data sharing for ePHI.
Following these practices, several common HIPAA compliance email features can be confusing under regulations. If you send an encrypted email with ePHI to a covered entity or business associate, then it is their responsibility to protect that data under HIPAA, including during any reply messages. Mass-messaging should be avoided, but if it is used, senders must only send mass mailings through mail merge features in HIPAA-compliant software.
Responsibilities of Third-Party Email Vendors
Working with third-party compliant email vendors is a lot like working with a cloud provider or other managed service: they must, to the extent applicable with the service provided, adhere to regulations under a Business Associate Agreement (BAA) that outlines their responsibilities and culpabilities under regulations.
What this means for them, and you, are that the email provider must provide HIPAA-compliant storage for any emails on their servers. HIPAA requires organizations to retain documents for compliance for at least 6 years.
They are not responsible for what happens outside those servers, however. A third-party vendor doesn’t have any responsibility for whether or not you use proper email security and encryptions through their services, nor are they responsible for safeguards in place outside of their services or their servers.
What this means is that even if you are using a compliant third-party email service (like Gmail) with a BAA, that doesn’t cover any other requirements on your part in terms of transmission or storage.
Making HIPAA compliant email involves aligning all technologies, from servers to clients to practices, to regulations under the Privacy and Security Rules.
As a summary, these two rules outline the following:
- The Privacy Rule outlines the nature of ePHI and requirements around its protection, management, and privacy. It states that all PHI is private unless otherwise stated by the patient, and all Covered Entities and Business Associates must maintain the privacy.
- The Security Rule defines the security controls, technologies, and responsibilities of Covered Entities and Business Associates in maintaining the privacy of PHI.
That being said, not all email providers are compliant, and using a non-compliant provider places the Covered Entity in non-compliance as well.
Depending on the email you use, there are several steps to ensuring that you use HIPAA compliant email.
Internal Email Services
If you have an internal intranet with on-prem or internal cloud email, then it’s your organization’s responsibility to protect that email at the server level and through all applications used.
This includes taking the following actions:
- Use software with end-to-end encryption. This will encrypt data during transit and when it is sitting on a server to prevent a HIPAA breach. In terms of encryption, use standards that meet requirements to their highest ability, namely encryption standards like AES-256 and TLS-1.1 or higher.
- Use software with additional encryption like S/MIME. MIME data allows emails to support extended character sets and header information for more robust emails that can include media and HTML. Securing MIME ensures that if you are using advanced formatting that the data contained therein is protected as well.
- Have messaging and data sharing separate from email services. While you should still always protect your email, always provide a secure messaging and patient portal for patients to access critical medical data and communications from their practitioners. This can alleviate the risk of HIPAA violations in your email, even if you connect notifications to patient messages (so long as they do not contain ePHI).
- Have automated data backup and retention. Guidelines do not outright state any specific requirements for data retention, but patients can demand information at any time and healthcare organizations may need immutable audit trails if there are legal actions about their compliance. Additionally, regulations clearly require that organizations maintain records regarding their security compliance for at least 6 years.
Working with Third-Party Vendors
An on-prem or dedicated service might be something that smaller practices don’t have the resources for. They cost money, skills and time for support, maintenance, and upgrades that many organizations just don’t have or want. In this case, many healthcare institutions turn to third-party vendors to provide email and/or corresponding cloud services.
To ensure that your third-party provider (and by extension, you) are compliant, then consider the following:
Make sure you have a BAA in place. The BAA is an agreement between your organization and a third-party who will handle, transmit, or store ePHI. This agreement not only protects your organization if this third party doesn’t remain compliant, but it clearly defines the responsibilities of that organization.
Make sure that their services meet minimum HIPAA security requirements. Some companies will advertise themselves as “HIPAA eligible” or “HIPAA capable”. These terms can be confusing to non-technical people. In short, these terms simply mean that the company provides the tools and features that can support compliance. It doesn’t mean that they necessarily do out of the box.
If your provider is HIPAA eligible, then make sure you know exactly what it takes to be HIPAA compliant with them. It may be the case that getting to compliance with them just isn’t worth it.
No matter if you use internal or third-party email, it’s necessary for HIPAA compliance that you properly train your staff to use the technology properly. This means education and continued training on HIPAA for the sharing and transmission of data.
|Vendor||Encryption||Email Client Support||Compatibility||Best For|
|Accellion||AES-256, TLS-1.2||Custom web and mobile apps, Microsoft Outlook plugin||Microsoft Office 365, Google Workplace, Salesforce, iManage||Business: Clinics, Small Vendors
Enterprise: Hospitals, Large Vendors
Compliant File Transfer, Storage
|Google Workplace HIPAA||AES-128 or stronger, TLS-1.3||Web app, integration with most secure email clients via IMAP||Google Workplace for HIPAA, secure third-party email clients via IMAP||Enterprise Storage, Productivity Integration|
|Hushmail for Healthcare||AES-256, TLS-1.3||Web app, mobile apps||Outlook, Mac Mail, secure third-party email clients via SMTP||Clinics and Small Vendors|
|Microsoft Office 365||AES-256, TLS-1.3||Web app, Outlook desktop client, secure third-party email clients via IMAP||Outlook, Mac Mail, third-party email clients vis IMAP||Hospitals and Large Vendors, Productivity Integration|
|LuxSci||AES-256, TLS-1.3||Web app, secure third-party email clients via IMAP||Microsoft 365, Google Workplace, Salesforce, third party clients via API or SMTP||Hospitals and Large Vendors|
|HIPAA Vault||Varies||Secure third-party email clients via IMAP||Microsoft 365, Google Workplace||Hospitals, Clinics, Large and Small Vendors|
Accellion is a leader in the field of data storage and transmission in and out of healthcare, supporting compliance for frameworks like HIPAA, FedRAMP, and GDPR. Not only can you get a secure email, but couple it with critical managed services, integrations, secure messaging and data sharing and file storage all in a single platform. Finally, you get integration not only with Office 365, but with Microsoft Office Desktop apps like Word and Excel as well.
While Gmail is not itself HIPAA, Google does offer Google Workplace for Healthcare. This embeds HIPAA-compliant services in familiar products like G Suite Gmail and Google Office. These are primarily web-based, however, so it could be difficult to integrate with other platforms.
Hushmail for Healthcare
Hushmail is exactly what it says: HIPAA-compliant email. It comes complete with HIPAA-compliant features and additional tools like HIPAA FTO, cloud storage, and a compliant, managed WordPress hosting service.
Microsoft Office 365
Microsoft has several healthcare-oriented services, but their Office 365 for healthcare combines compliant cloud storage and encrypted messaging with their suite of Office tools (including 365 online access, desktop apps, and mobile apps). Pricing starts lower but balloons if you want to include those apps, however.
LuxSci has several years of experience in HIPAA compliance, meaning reliable emailing and file sharing capabilities. It relies heavily on third-party apps and support to work, however, outside of its web app. This means that you’re most likely using a third-party client, which could call for another layer of compliance and security. They do have support for major productivity suites, however.
HIPAA Vault is unique in that, on top of email and cloud services, it also supports internal website building for companies through a secure WordPress hosting plan. This can help with smaller providers who want a way to host data or a knowledgebase on an intranet without introducing vulnerabilities that could threaten compliance.
For a Complete HIPAA Compliant Solution, Choose Accellion
Accellion offers HIPAA-compliant encryption, backups, and security for its email products. More importantly, however, it supports a seamless and secure experience that encompasses file sharing, secure messaging, secure storage, firewall, and other protections that are all also compliant. This means one platform, one solution, and one interface for all your needs.
Access the ebook to learn how Accellion ensures HIPAA compliant emails.