When you think of email from a business standpoint you think of company announcements, junk mail, co-worker problem solving, and reminders that it's Jane's birthday. It is easy to get caught up in the flow of the business and overlook the full functions of this tool that you use every day. This is true even more so in health care because the focus tends to lean more on patient satisfaction than it does the technical aspects in the background. This is why email often gets overlooked when it comes to HIPAA compliance.
Thanks to the guidelines and regulations set by HIPAA, this vital tool to your practice must be considered when assessing compliance. Now, the series of questions you may have probably look like this:
Before these questions can be addressed you must first address how your company uses email. Essentially, if you are emailing electronic personal health information (ePHI) for whatever reason you must be HIPAA compliant. The guidelines for compliance vary by how you are emailing and to whom you are emailing, but there are guidelines to follow regardless of which method you are using.
Your email MUST be HIPAA compliant if:
*NOTE: In this instance, you do not need to comply with the email encryption requirement, but your email must still comply with other HIPAA safeguards within your network.
So basically, as a HIPAA covered entity, there HIPAA regulations you must follow if you are using email in pretty much any capacity within your organization.
Now that the usage has been defined, let’s look at HIPAA for a second. According to HIPAA regulations, depending on the way you are using email there are several things that need to be considered and actions to take that make compliance possible. Whether you choose to host your own email server or have your email through a hosted email provider there are actions to be taken.
HIPAA covered entities using email in ANY capacity must take the following actions:
See HIPAA Administrative Simplification § 164.312(c)(2)(ii).
It is also important to note that if email is used to communicate with patients, no matter which method you are choosing, the practice needs signed consent from the patient as well as documentation that you informed them of the potential risks prior to doing so.
In addition to the above requirements, an additional encryption requirement applies if you host email on an internal server and are sending ePHI outside of your network, or if there is no firewall in place.
Specific HIPAA requirements also apply if you utilize email hosted through a third party email provider (i.e. Microsoft Office 365, Google G Suite, GoDaddy, etc.).
Most hosted email providers are not HIPAA compliant out of the box, but many can be used in a compliant way with appropriate configuration and training. Necessary configurations and settings vary per provider, most hosted email solutions offer various security settings and configurations. All HIPAA-applicable email security settings must be turned on and configured appropriately. These settings are typically not set for HIPAA compliance by default and necessary configurations are unique to the organization.
In addition to turning on appropriate security settings and configurations, the following requirements also apply in a hosted email setting:
As with all HIPAA regulations, email compliance is not black and white. It depends on the unique risks within your policies, procedures, systems, and uses within your practice or business. HIPAA places the burden of responsibility on you to understand your own risks and implement the appropriate HIPAA guidelines to adequately mitigate those risks.
These are the email applicable HIPAA guidelines, but how you adopt the applicable guidelines is unique to your own risks. Your HIPAA risk analysis is the best tool to identify your risks, identify applicable regulations, and how you must address your risk.
These steps can take time to implement and if you are uncertain if the steps you are taking are not compliant it is always best to reach out to your legal and/or IT team.