HIPAA Compliant Email: Getting it Right

Howard Schulman

What is HIPAA Compliant Email?

The Health Insurance Portability and Accountability Act (HIPAA) is a US act that provides protections for individuals’ protected health information (PHI). It applies to health information collected, created, stored, and shared by healthcare providers and associates. It includes the HIPAA Security Rule which applies protections to electronic protected health information (ePHI).

According to HIPAA, regulated entities are only allowed to disclose healthcare data if they ensure it is being shared in a protected fashion and is only being used for an approved scope of use. This means that if entities want to share information through email, they must ensure that only the approved recipient can receive it or access the information contained. One way to ensure this is with HIPAA compliant email.

In this article, you will learn:

HIPAA Email Encryption Requirements

According to HIPAA guidelines, emails containing ePHI that are sent outside of your internal network should be encrypted. This prevents contents from being accessible if the email is intercepted or sent to the wrong recipient by mistake. You ensure privacy through the use of a paired key that is provided to the recipient in a separate interaction.

While encryption is the default means of protection, it is considered an “addressable standard” according to the HIPAA Security Rule. This means it is not required but is strongly advised, particularly if emails are sent to external servers. If encryption is not used, data must be secured in some other way, both at-rest and in-transit.

You are responsible for determining if encryption is an appropriate protection or not. This decision should be made according to the level of risk, as determined by a risk analysis. You need to evaluate for threats to the availability, integrity, and confidentiality of data.

Based on your findings, you should create a risk management plan that addresses identified risks with encryption or a comparable alternative. When determining which method to use, you need to document your choice and your reasoning for that choice as part of the plan.

Penalties for HIPAA Email Violations

If you violate the requirements of HIPAA, you can be penalized with fines ranging from $100 to $1.5 million. Below is a breakdown of fine categories and ranges:

New call-to-action

Is Gmail HIPAA Compliant?

As one of the most popular email providers, Gmail’s status in terms of HIPAA compliance is crucial to know. The short answer is that yes, Gmail can be HIPAA compliant. However, it is not compliant by default.

If you plan to use Gmail as a HIPAA covered entity, you need to enter a business associate agreement (BAA) with Google that covers Gmail services. You also need to use G Suite, which is a subscription cloud service. This service enables you to use your own domain which is required because BAAs do not cover the gmail.com domain.

Once G Suite is set up, you must also pay for an end-to-end encryption service. Google does not provide in-transit encryption, only at rest, so you cannot rely on the default encryption service. With your infrastructure in place, your final steps are to train users to ensure that G Suite is used correctly. You must also get permission from your patients to send ePHI through email.

5 HIPAA Email Compliance Tips

In addition to the minimum introduced here, there are some best practices that can help you ensure that your emails are HIPAA compliant. Below are a few practices to consider:

  1. Implement sharing controls—consider restricting access to ePHI to specific devices or users. Most users do not need to send information externally (such as through email) and should not have permissions to do so. You should reserve sharing permissions for only those who need it (such as medical records staff).
  2. Restrict inter-departmental access—similar to sharing, not all departments should have access to ePHI or all record fields. Restrict access according to need to ensure confidentiality. For example, HR typically does not need access to medical records information unless it is for employees. This prevents accidental disclosures.
  3. Track information access—you need to be able to audit who is accessing or sharing information to ensure that permissions are correct and guidelines are being followed. One way to do this is with firewall logs on your email server. Tracking who is sharing information and when can help you trace issues to their source. If you are actively monitoring email you can also potentially detect when confidential information is sent in a suspicious manner or volume.
  4. Train employees for privacy—accidental compliance breaches are common but can be avoided with proper training. You should teach employees how to ensure that emails are compliant and the importance of privacy in general. For example, explain why employees should not share log-ins or passwords. The more aware your users are of compliance guidelines, the more likely they are to follow them or to notice if privacy is breached.

HIPAA Compliant Email with Lightico

Lightico’s mobile eSignature platform exceeds the regulatory requirements of HIPAA-compliant email and enables employees and patients to interact through a secure web browser environment. The agent simply sends the patient a HIPAA-compliant text message link to their smartphone that opens up to a secure session, in which the patient can digitally fill out and upload forms and documents, and get ID verified.

Unlike physical paperwork that often passes through multiple hands, or is otherwise easier for other parties to access, documents sent via Lightico are instantly encrypted and stored safely in the company’s CRM. All documents, including those containing PHI, are time-stamped and tamper-proof, ensuring the integrity of customer data.

Learn more about Lightico’s HIPAA-compliant eSignature platform.

New call-to-action

New call-to-action