HIPAA Email Rules

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. Its primary function today is to act as a set of rulings which maintains national standards regarding the protection of patients’ health information. The act granted patients many rights to their health data which they did not previously have, including introducing new rules about when, with whom, and how health data can be shared. Those working in the healthcare industry, such as doctors, pharmacists, health insurers and other providers have an obligation under HIPAA to explain to patients their rights under the act regarding use of their health information.

HIPAA has very strict guidelines on how electronic protected health information (ePHI) can be transmitted between authorised individuals. HIPAA’s Privacy Rule of 2000 introduced rules on use and disclosure of PHI, including in an electronic form. The Security Rule was introduced in 2003 to establish further protections on ePHI. Covered entities (CEs) must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit with the appropriate administrative, technical, and physical safeguards.

Both the Privacy Rule and the Security Rule were strengthened in 2009 by the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This also acted to increase the penalties levied against a covered entity if they were found to be in violation of HIPAA. In March 2013, a final set of regulations modifying HIPAA legislation was introduced in the form of the Omnibus Rule. This introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule also granted medical professionals more freedom in how they communicate with their patients, but this led to another issue arising; is the use of email to communicate ePHI HIPAA-compliant?

The Omnibus Rule states that any email that is being sent to third parties outside of an organisation’s network must be encrypted. Emails of this nature may include payment claims, patient referrals to specialists, or patient appointment scheduling. Email hacking and interception has become a serious risk to all those in the medical profession, due to the high black-market value of PHI. Therefore, it is vital that an organisation has appropriate email encryption to maintain the integrity of their ePHI.

However, the situation is different for email communications within a network. The Privacy Rule and the Security Rule both have stipulations on HIPAA-compliant use of email in this case. The Privacy Rule allows for HIPAA-CEs to use email to communicate electronically, provided that they employ the requisite safeguards while doing so. While the Privacy Rule does not prohibit the use of unencrypted email to communicate with patients, suitable precautions must be taken to ensure that there is no accidental disclosures to unauthorised individuals. These may include the limiting the amount of type of information in the email.

Similarly, the Security Rule does not prohibit the use of email to transmit ePHI, but it does introduce a number of requirements to ensure that the method is secure.

These requirements include:

  • Standards for access control (45 CFR § 164.312(a))
  • Standards for integrity control (45 CFR § 164.312(c)(1))
  • Standards for transmission security (45 CFR § 164.312(e)(1))

The standard for access control requires that all employees in the organisation must be issued unique IDs for accessing ePHI and email. This allows the organisation to access and track user actions, and ensures message accountability when ePHI is transmitted. Integrity controls allows for the business to ePHI from improper alteration and destruction. The standard for transmission security includes specifications for integrity open controls and encryption that CEs must consider thoroughly. An audit of the organisation’s networks is recommended, so that an appropriate means of protecting ePHI may be enforced.

It is important to note that while encryption is a good technical safeguard, it does not fulfil all the requirements stipulated by the Security Rule. For example, it does not allow for the standard of access control to be met as it does not fulfil the unique ID requirements.

According to a report by the Healthcare Billing & Management Association (HBMA), most CEs and their business associates (BAs) do not comply with HIPAA regulations regarding their use of email. Ensuring that email is fully HIPAA compliant requires significant resources, which may be prohibitive for smaller organisations-a criticism that has been levied against HIPAA’s creators by those in the healthcare industry.

Ensuring Email is HIPAA Compliant

Although encryption is not explicitly required by HIPAA’s regulations, it is an “addressable standard”; this means that if covered entities decide not to use encryption as a means of securing their data, then a suitable alternative must be implemented. This applies to data and rest and data in transit. Conducting a thorough risk analysis of the organisation is an appropriate way of assessing whether or not encryption is the best technical safeguard for an organisation to use. If encryption is not used, the decision must be thoroughly documented. The Office of Civil Rights (OCR) will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

HIPAA’s record retention policy requires CEs to maintain PHI, and messages containing PHI, for a period of six years from the date of its creation, or the date when it last was in effect, whichever is later. Therefore, archived emails must be stored in a secure fashion. A suitable solution would be encrypted email archiving of PHI. This is commonly provided by a third-party vendor, and a business associate (BA) agreement would have to be drawn up with the CE. It is the CE’s responsibility to ensure that the BA is fully aware of HIPAA regulations. The CE is held accountable if the BA is found to be in violation of HIPAA.

The BA’s service must be up to the standard outlined in HIPAA’s Security Rule, so must have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to ensure maximum transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.


Although HIPAA does not explicitly ban the use of email to communicate with patients or transmit ePHI, CEs must be cautious. Safeguards must be in place to ensure the security and integrity of the ePHI while it is at rest or in transit. By carefully considering the guidelines and seeking the advice of a third-party expert, CEs can ensure that their organisation is fully compliant with HIPAA email rules.