The what, why, how and how not-to of sending HIPAA-compliant emails, explained

The what, why, how and how not-to of sending HIPAA-compliant emails, explained

According to IBM’s Cost of a Data Breach Report, business email compromises rank among the four costliest incident types with an average cost of $4.67 million. This includes the expenses the survey respondents have incurred as a result of detection and escalation, notification, post-breach response, and lost business, such as forensic expert fees, discounts for future products and services, or the cost of outsourcing hotline support.

For HIPAA-covered entities, however, the same figure can sneak much, much higher, depending on whether they’ve failed to ensure HIPAA compliance for email. As in 100-50,000-dollars-per-violation higher. In this article, we’ll take a closer look at all things email HIPAA compliance, from what HIPAA compliance means for email to what HIPAA compliant email services are available to covered entities.

First things first: what is HIPAA-compliant email?

A quick recap from our previous deep dives on HIPAA administrative safeguards and HIPAA technical safeguards: the Health Insurance Portability and Accountability Act was signed into law in 1996 with the primary aim of helping more Americans get health insurance coverage, preventing employees from losing their health insurance between jobs, and minimizing waste, fraud, and abuse in health insurance and healthcare delivery.

To address the privacy risks new technology advancements had brought to the healthcare space, legislators adopted the HIPAA Privacy Rule in December 2000 and the HIPAA Security Rule in February 2003. More specifically, the purpose of these new rules was to set national standards for the protection of individually identifiable health information and to protect the confidentiality, integrity, and availability of electronic protected health information, respectively.

Protected health information, or PHI, refers to any information created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to an individual’s past, present, or future physical or mental health condition, or the provision or payment of health care to an individual.

Under the Security Rule of HIPAA, ePHI (short for electronic protected health information) roughly translates to “protected health information in electronic form.” This refers to protected health information that is created, transferred, received, stored and managed by a covered entity through electronic means. The same rule prescribes that reasonably anticipated threats to the security of ePHI must be identified and protected against.

Is email a HIPAA compliant way of transmitting and keeping PHI secure? It can be, if emailing PHI happens with proper cybersecurity measures in place, such as encryption, masking, or scrambling. This is crucial because human error, stemming from either unintentional or lack of action on an employee’s part, can be just as great a liability for healthcare providers’ email HIPAA compliance efforts as malicious outsiders. Let’s see how.

HIPAA violation examples: email and social media edition

The employee who was way too eager to Yelp

  • Responding to reviews on Yelp, one of the biggest crowd-sourced review sites with more than 178 million visitors per month, is a great way to build visibility and trust with customers. Until it becomes a violation of PHI privacy requirements under HIPAA. In 2019, Texas-based dental practice Elite Dental Associates learned this the hard way.
  • When replying to a patient’s post, Elite disclosed their last name as well as details of their health condition, treatment plan, insurance, and cost information, HIPAA Journal reported. An investigation by the US Department of Health and Human Services’ Office for Civil Rights (OCR) ensued, which not only confirmed impermissible PHI disclosure on the healthcare provider’s part in this particular case but in several others.
  • To make things worse, the inquiry also discovered that Elite had failed to implement PHI-related policies and procedures and include the minimum required content in its Notice of Privacy Practices as per the HIPAA Privacy Rule. In the end, the OCR imposed a fine of $10,000 and a corrective action plan for Elite, including the development of HIPAA-compliant policies, to resolve past violations and prevent future ones.

The rushed comment about a deceased co-worker on YouTube

  • In 2020, a New York City emergency room nurse came under scrutiny after sharing video footage of her and her colleagues speaking about the hardships they had to overcome while working as frontline staff at the height of the coronavirus crisis. Unfortunately, while describing how they could have saved more lives had they not faced shortages of protective equipment and supplies, they named a former colleague who died from COVID-19 at Lincoln Hospital.
  • The results of the investigation that followed have not been publicly released, but discipline and temporary suspension were listed as potential outcomes.

The ill-considered mass email campaign to bariatric patients

  • In an example cited by Allan Collautt Associates, a health center based in Springfield, Pennsylvania, sent an email to approximately 900 bariatric surgery patients informing them of a support group. Because the recipients’ addresses were entered in the email’s CC field, they were visible to everyone who received it. Since everyone who read the email could have reasonably assumed that all recipients had received bariatric surgery, a misstep like this might be grounds for a HIPAA violation.

Whose email communication do HIPAA requirements apply to?

Email communication initiated by a HIPAA-covered entity, meaning:

  • health plans, including health insurance companies, HMOs, company health plans, government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans health care programs;
  • doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, provided they transmit any information electronically in connection with a transaction for which HHS has adopted a standard;
  • health care clearinghouses, including entities that process nonstandard health information they receive from another entity into a standard (as in standard electronic format or data content), or vice versa;

and their business associates, meaning companies that

  • help doctors get paid for providing healthcare;
  • assist with administering health plans;
  • store or destroy medical records; as well as

external collaborators, such as legal counsels, accountants, and IT specialists.

What type of emails do HIPAA rules and requirements cover? 3 examples of PHI shared via email

    1. Emails to patients about their condition and treatment

    The HIPAA Privacy Rule allows covered entities to discuss health issues with patients via email but requires them to apply reasonable safeguards when doing so. These include checking the recipient’s email address before sending to avoid accidental PHI disclosures; limiting the amount of information shared when emailing PHI or treatment details unencrypted; and adopting the security standards set forth at 45 C.F.R. Part 164, Subpart C.

    2. Bulk emails to past, present, or potential patients

    Sending mass emails without blind copying recipients is the most common example of email-related HIPAA violations, regardless of what the message says. As long as the recipients can see who else has been emailed, they can infer a past, future or ongoing relationship between the healthcare provider and the addressees, which very much constitutes an impermissible disclosure of PHI.

    3. Email replies from covered and non-covered entities

    The HIPAA Security Rule requires covered entities and business associates to apply reasonable safeguards when emailing PHI. This requirement, however, doesn’t extend to inbound email traffic. Meaning that protecting sensitive information in email replies is the responsibility of the sending party, as long as they too qualify as covered entities or business associates (if they don’t, no HIPAA violation can be established).

HIPAA for therapist emails: do the same rules apply?

For the most part, yes.

As covered entities, mental health professionals must comply with HIPAA privacy and security standards just like any other health care provider. But some exceptions apply, for example, the HIPAA Privacy Rule allows communication between a healthcare provider and a patient’s family and friends, who often play a critical role in the treatment process and outcomes.

In addition, psychotherapy notes are given special protections by the Privacy Rule as they contain extremely sensitive information and they’re mostly relevant to the mental health professional who created them. For that reason, such notes must be kept separate from other types of PHI and can only be shared with the patient’s express consent.

HIPAA email encryption requirements: a short review

According to the HIPAA Security Rule, encryption falls into the category of “addressable” implementation specifications. This does not translate as “nice to have” by a long shot.

Legislators worded these requirements vaguely, HIPAA Journal explains, to keep them technology-neutral and allow for future advancements in technology. Covered entities and business associates are advised to assess how and how often they transmit ePHI, and, based on their findings, if encryption is needed to protect ePHI in transit as well as what encryption methods would be best to protect the transmission.

The only instance where unencrypted protected health information transfer shouldn’t raise any eyebrows is when it happens between colleagues through an organization’s own secure network. Provided, of course, there are proper server security tools and protocols in place and only staff members who “need to know” the information to perform their job can read the plain text messages with no one else in the room.

Technically, sharing protected health information with patients via email can occur without encryption, but only if the covered entity has informed the recipient in advance and in full about the risks involved as well as about other, more secure ways of communication; the patient has stated that they opt for the less secure option despite the liabilities it poses and consent to this method of communication in a way that’s documented and retrievable.

How to make your emails HIPAA compliant?

    1. Sign a BAA with your email provider

    The purpose of the business associate contract (BAA) is to define the permissible uses and disclosures of PHI by the business associate and to ensure that administrative, physical, and technical safeguards will be used to protect it. Find a template by HHS here. A word to the wise: if your email provider isn’t willing to sign one, move on.

    2. Use end-to-end encryption

    End-to-end encryption can give users peace of mind even in an industry as tightly regulated as healthcare. It does so by encoding messages before they’re sent and decoding them only after they arrive at a recipient’s device using randomly generated encryption keys. This means that no one in the middle can read or modify them.

    For more details on how to send an email securely, read our guide on email encryption and how to secure emails in Outlook.

    3. Enhance PHI security protocols

    Devise and revise organizational policies related to PHI access, management, and transmission. Implement role-based permissions and granular controls to keep access to such information to the minimum necessary, along with access logs of who accessed or attempted to access PHI, and perform periodic log and permission audits.

Follow-up question #1: Is Gmail HIPAA-compliant?

Yes and no. The free version of Google’s email service is not HIPAA-compliant as it’s intended for personal use only. However, if you’re a Google Workspace or Cloud Identity customer, you can configure Google services to support Gmail HIPAA compliance. To do so, make sure to sign a BAA with Google before you start using its services to transmit PHI, consult Google’s HIPAA Implementation Guide and enable S/MIME encryption for your messaging.

Follow-up question #2: Is Outlook HIPAA-compliant?

Similarly to Google, Microsoft offers support with HIPAA compliance for enterprise users, who qualify as covered entities or business associates, and will enter into a BAA. That said, HIPAA Journal points out, the full range of features required to achieve HIPAA compliance, including audit logs, are only available for certain enterprise plans. Plus, services must be carefully configured and additional controls set up to make Outlook HIPAA-compliant.

When only the safest is safe enough: Tresorit integration for Gmail and Microsoft 365

Tresorit’s add-ons for Gmail and Microsoft 365 provide an extra layer of security to keep your most precious data assets safe with none of the hassle. This includes:

  1. End-to-end encrypted storage and backup

    Keep and back up your data in an ultra secure cloud environment protected by zero-knowledge end-to-end encryption.

  2. Worry-free internal and external file sharing

    Use secure encrypted links to exchange files with colleagues, clients, or vendors securely, even if they don’t have a Tresorit account.

  3. Admin and user control features in one place

    Manage users, security policies and file activities as well as who has access to what data through a single interface.

  4. Encrypt email attachments automatically

    Tresorit’s email encryption feature offers a fast and easy way to replace risky email attachments with encrypted share links and password-protected files.

  5. Compliance with the strictest privacy rules

    Strengthen and simplify your GDPR, CCPA, HIPAA, TISAX, FINRA, and ITAR compliance efforts with client-side end-to-end encryption technology.

  6. Easy integration through SIEM or SSO

    Connect Tresorit to your organization’s Azure Active Directory via single sign-on or enable SIEM integration with Microsoft Sentinel.

  7. Flexible and secure on-premises alternative

    Combine the control and security offered by on-premises systems with the convenience and scalability of cloud environments.

Intrigued? Learn more and download Tresorit for Microsoft 365 or Tresorit for Gmail. Looking for a HIPAA-compliant, encrypted cloud storage and file sharing solution for managing medical records? See what Tresorit can do for you.