The HIPAA email rules apply whenever an email containing Protected Health Information is sent, received, or stored by a HIPAA covered entity or business associate – except for when exemptions apply or when a state law has more stringent privacy requirements.
Standards relevant to sending, receiving, and storing emails in compliance with HIPAA can be found throughout the HIPAA Administrative Simplification Regulations. The areas of the HIPAA Regulations with the most significance to the HIPAA email rules are the General Administrative Requirements, the Security Rule, and the Privacy Rule.
The General Administrative Requirements (Part 160) contains standards explaining who is required to comply with HIPAA (and by association, the HIPAA email Rules), defining Protected Health Information (PHI), and stipulating that HIPAA preempts state laws unless a state law has more stringent privacy protections or provides individuals with more control over data.
The Security Rule (Part 164, Subpart C) contains standards relating to ensuring the confidentiality, integrity, and availability of PHI sent, received, or stored electronically. In addition to complying with all applicable Administrative, Physical, and Technical Safeguards of the Security Rule, covered entities and business associates must also:
- Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
- Protect against any reasonably anticipated uses or disclosures of PHI not permitted or required by the Privacy Rule.
- Ensure workforce compliance with the Security Rule via HIPAA training and the effective use of a sanctions policy.
The Privacy Rule (Part 164, Subpart E) contains standards governing the permitted and required uses or disclosures of PHI, exemptions to the standards, and the conditions under which covered entities can disclose PHI to third party service providers as business associates. In the context of the HIPAA email rules, business associates include email service providers.
There are other areas of the regulations that can impact the content of a HIPAA email policy (i.e., the requirement to send breach notifications by post even if a covered entity has an individual’s email address). However, because different covered entities operate in different ways, it is best to focus on the areas that most commonly impact the content of a HIPAA email policy so covered entities and business associates can develop policies relevant to their operations.
When do the HIPAA Email Rules Apply?
The HIPAA email rules apply when an individual or organization that qualifies as a covered entity or a business associate sends, receives, or stores an email containing Protected Health Information (PHI). It is important to be aware that not all healthcare providers qualify as HIPAA covered entities, and not all information about patients qualifies as PHI.
While it might be easier to develop and monitor compliance with a HIPAA email policy that regards every email as being covered by the HIPAA email rules, this can be counterproductive and lead to security risks if – for example – a member of the workforce who does not have the correct permissions to access PHI has to stop a colleague from working to obtain an email address from a protected database or use their login credentials to access the database.
For these reasons it is best to understand who is covered by HIPAA and when information about patients is not protected by HIPAA, and develop policies for each type of use – notwithstanding that some states have privacy laws with more stringent “affirmative opt-in” rules than HIPAA. In such cases, although sending a patient an email for purpose permitted by HIPAA would not violate the HIPAA email rules, it may violate a state privacy law.
Security Rule HIPAA Compliance for Email
Security Rule HIPAA compliance for email can take various forms depending on the type of email service used. For example, covered entities that use on-premises email servers are required to comply with all applicable Physical Safeguards, whereas the responsibility for physical security belongs to an email service provider when a third party service such as Microsoft Office, Google Workspace, or Paubox is used to send and receive emails.
In addition, because of the standard requiring covered entities and business associates to protect against reasonably anticipated threats and impermissible disclosures, it may be necessary to implement measures beyond those required by the Administrative, Physical, and Technical Safeguards to ensure HIPAA compliance for email. For example, if there is a risk of data theft by an insider, it may be necessary to implement Data Loss Prevention tools.
With regards to protecting PHI in transit, the Security Rule’s “flexibility of approach” means there is no one-size-fits-all HIPAA email encryption requirement. Covered entities can choose to protect PHI in transit by deploying TLS encryption (which encrypts the connection), S/MIME encryption (which encrypts the content of each email), or a proprietary encryption solution that overcomes the challenges of non-delivery due to incompatible encryption protocols.
HIPAA Compliance and Email Communications
With regards to the Privacy Rule, the challenges of HIPAA compliance and email communications can also differ depending on the nature of an organization’s operations. This is because, even if a covered entity complies with all applicable Security Rule requirements, the reason for PHI being sent in an email has to be covered by the standards relating to permissible uses and disclosures – or require consent or authorization by the subject of the PHI.
In addition, some permissible reasons for PHI being sent in an email are subject to the minimum necessary standard, while others are not. This means that emails sent to a business associate can only contain the minimum necessary PHI to achieve the purpose of the disclosure, while emails sent to (for example) a physician with whom the patient has a direct treatment relationship can contain the patient’s entire medical history.
Because of the different circumstances under which it is permissible to send PHI in an email, the circumstances when the minimum necessary standard applies, and circumstances when a patient’s consent may be necessary before any PHI is sent in an email, it is important all members of the workforce receive training on the organization’s HIPAA email rules, that compliance with the rules is monitored, and that sanctions are imposed when necessary.
Conclusion: Conduct a Risk Assessment
Because there are no one-size-fits-all HIPAA email rules, it is necessary for each covered entity and business associate to conduct a risk assessment in order to identify reasonably anticipated threats, hazards, and impermissible disclosures and implement measures to reduce the risks to an acceptable and reasonable level. Organizations that require assistance conducting an email risk assessment are advised to seek advice from a compliance professional.
