The Bottom Line on HIPAA Compliance and Your Email  | HIPAA Compliance for Medical Practices | Scoop.it

Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.

 

Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:

 

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

 

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

  • Access control
    Only those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.
  • Unique user identification and identity verification
    Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.
  • Data integrity
    Systems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.
  • Encryption and decryption
    A mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.
  • Transmission security
    Technical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.