HIPAA Compliance for Email
Standards relevant to HIPAA compliance for email appear throughout the HIPAA Administrative Simplification Regulations – from the applicability and preemption standards of Part 160 (the General Requirements) to the privacy, security, and breach notification standards of Part 164. Due to the potential complexities of HIPAA email compliance, this article discusses:
- Who do the HIPAA email rules apply to?
- Preemptions and exclusions to HIPAA email compliance
- HIPAA email policies and the Privacy Rule
- Security standards for HIPAA compliant email
- What are the HIPAA email encryption requirements?
- HIPAA compliance for email breach notifications
Who do the HIPAA Email Rules Apply to?
The HIPAA email rules apply to individuals and organizations that qualify as HIPAA covered entities or business associates. Most – but not all – health plans, health care clearinghouses, and healthcare providers qualify as HIPAA covered entities, while third party service providers to covered entities qualify as business associates when the service provided for or on behalf of a covered entity involves uses or disclosures of Protected Health Information (PHI).
However, the HIPAA email rules only apply to HIPAA covered entities and business associates when PHI is created, received, stored, or transmitted by email. If – for example – a covered entity sends an email that does not include PHI, the standards relevant to HIPAA compliance for email do not apply. Similarly, if a prospective patient submits a contact form by email that does not include PHI, the HIPAA email rules do not apply to the contact form or the email.
Preemptions and Exclusions to HIPAA Email Compliance
In all applications of HIPAA, the HIPAA Rules apply unless a provision of state law has more stringent requirements or provides more individual rights than the equivalent HIPAA standard. This is relevant to HIPAA email compliance because, in 2008, the Department for Health and Human Services (HHS) issued guidance stating “
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume […] that e-mail communications are acceptable to the individual.”
However, several subsequently passed state laws have adopted “affirmative opt-in” requirements. These requirements mean a covered entity or business associate must obtain an individual’s clear consent before communicating with them by email. States in which these requirements preempt HIPAA include Connecticut, Colorado, Texas, Tennessee, Virginia, Utah, Montana, Iowa (from January 2025), and Indiana (from January 2026).
In addition, under §164.522(b) of the Privacy Rule individuals have the right to request confidential communications by alternative means. If the requests are reasonable, covered entities are required to comply with them – even if this means covered entities cannot comply with the HIPAA email compliance requirements. In such circumstances, covered entities should warn individuals of the risks, request written consent, and document both the warning and the consent.
HIPAA Email Policies and the Privacy Rule
Many sources of information discussing HIPAA compliance for email tend to focus on the requirements of the Security Rule. However, it is important not to overlook Privacy Rule compliance requirements. The Privacy Rule is relevant because it defines what is considered PHI under HIPAA and lists the permissible uses and disclosures of PHI – important standards when developing HIPAA email policies for members of the workforce.
HIPAA email policies should be covered in general HIPAA training rather than in security awareness training because of the frequency with which members of the workforce may email patients, each other, or members of other covered entities’ workforces. The provision of training on HIPAA email policies will benefit general HIPAA compliance as members of the workforce will be more conscious of requirements such as the minimum necessary standard.
Other areas of the Privacy Rule which may influence HIPAA compliance for email include the requirements for Business Associate Agreements. The Privacy Rule requirements (in §164.502 and §164.504) stipulate what must be included in a Business Associate Agreement for the Agreement to be in compliance with HIPAA, whereas the standards relating to Business Associate Agreements in the Security Rule just require that an Agreement is in effect.
Security Standards for HIPAA Compliant Email
The security standards for HIPAA compliant email require covered entities and business associates to implement access controls, audit controls, integrity controls, ID authentication, and transmission security mechanisms. This is in order to restrict access to PHI, monitor how PHI is communicated via email, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit
In addition, if PHI is stored in emails, covered entities and business associates should adopt an email archiving and retention system that ensures they are able to respond to individuals’ access requests and Accounting of Disclosure requests within the timeframe specified under the Privacy Rule (currently 30 days). This may require the adoption of an external HIPAA compliant archiving and retention service in addition to a HIPAA compliant email provider.
As well as the implementation specifications mentioned above, some requirements – such as maintaining an audit trail and preventing the improper modification of PHI – can be complex to resolve. So, although emails systems can be compliant at a point in time, ongoing compliance may require significant IT resources and a continuing monitoring process to ensure authorized users are communicating PHI in adherence with HIPAA email policies.
What are the HIPAA Email Encryption Requirements?
The HIPAA email encryption requirements are that a mechanism must be implemented to encrypt and decrypt electronic PHI at rest, and technical security measures must be implemented to guard against unauthorized access to electronic PHI transmitted over a communications network. Although these are “addressable” implementation specifications, they must be implemented unless equally effective measures are implemented in their place.
Due to technological advances, the encryption mechanisms and security measures that existed when the Security Rule was first published are long out of date (i.e., the DES algorithm). Covered entities and business associates are advised to follow the latest guidelines on electronic mail security published by the National Institute of Standards and Technology (NIST) which, in the context of HIPAA compliance for email, can be found in SP 800-45 Version 2.
While the NIST guidelines clarify the HIPAA email encryption requirements, they can raise challenges about which type(s) of encryption to adopt. For example, TLS encrypts the communication channel when emails are in transit, but not the content of the email itself, while S/MIME encrypts the content of email – making malware invisible to email filters. In many cases, it may be necessary to adopt more than one type of encryption mechanism or security measure.
HIPAA Compliance for Email Breach Notifications
Even when a covered entity or business associate has implemented all the required safeguards to support HIPAA compliance for email, it is still necessary to be aware of the breach notification requirements. §164.404(d) of the HIPAA Breach Notification Rule requires notifications to be sent to individuals by first class mail. It is only possible to notify individuals by email if they previously consented to receive “electronic notifications”.
The wording of the standard implies that, if an individual has affirmatively opted in to receive emails or requested communications by email, the document(s) used to obtain consent should note that the consent includes electronic notifications. If the consent document does not include the electronic notification requirement – or a notification email is sent to individuals who have not previously consented – this may be considered a HIPAA violation.
HIPAA compliance for email breach notifications is just one example of how covered entities and business associates can fall foul of the HIPAA email rules due to the potential complexities of HIPAA email compliance. If your organization is unsure of its HIPAA compliance for email, or requires assistance in adopting the necessary measures to comply with HIPAA, it is recommended you seek advice from a compliance professional.
HIPAA Compliance for Email FAQs
Why is it important to encrypt emails?
It is important to encrypt emails because unencrypted emails are sent from sender to recipient in plain text. During the communication process, they “rest” on various servers and could be read by any man-in-the-middle technology in the same way as email filters read emails to look for spam. Encrypting emails so they are unreadable by unauthorized persons is the best way to maintain the confidentiality of PHI.
Do I need to sign a BAA with my email service provider?
You do need to sign a BAA with your email service provider because email service providers have “persistent access” to ePHI, even when an email is encrypted. Please note that not all email services are willing to sign a BAA. For example, most free services will require you to subscribe to a business email service before entering into a BAA.
Is consent necessary to send PHI by email?
In most states, consent is not necessary to send PHI by email to patients, but it is recommended. HHS´ guidance states that if an individual provides a health care provider with an email address or initiates a communication by email, consent is implied. However, individuals should be warned of the risks of communicating PHI by email and the warning should be documented. In all other cases, consent should be sought before communicating PHI by email to patients.
What are the risks of communicating PHI by email?
There are several risks of communicating PHI by email other than the risks of unencrypted emails being intercepted. For example, emails sent to a patient may be viewed by family members if a patient leaves their mobile phone unattended, or by work colleagues if the email is sent to a work email address. Depending on the content of the email, this could be interpreted as a breach of individuals´ rights if consent has not been previously obtained.
What training do employees require regarding HIPAA compliance for email?
With regards to what training employees require regarding HIPAA compliance for email, as well as email basics – such as checking that the email address is correct before clicking the send button – employees should be reminded that, even when emails are encrypted, the content of the email has to comply with the Privacy Rule standards relating to permissible uses and disclosures and the Minimum Necessary Rule.
What are the HIPAA email rules for access and message accountability?
The HIPAA email rules for access and message accountability appear throughout the Administrative and Technical Safeguards of the Security Rule. These include (but are not limited to) unique user identifiers, login monitoring, access reports, automatic log-off, encryption, email backup/archiving, and the termination of credentials when a member of the workforce leaves.
Is email HIPAA compliant?
Email is HIPAA compliant provided all the necessary safeguards are in place to ensure the confidentiality, integrity, and availability of PHI, a Business Associate Agreement is signed with the email service provider, and members of the workforce are trained on email best practices to mitigate the risk of an email being misdirected. If communicating with a patient or plan member via email, it is also a best practice to obtain the recipient’s written consent before sending PHI by email.
What are the HIPAA email requirements?
The HIPAA email requirements (according to HHS guidance) are to apply reasonable safeguards when emailing PHI, comply with the minimum necessary standard, and ensure the transmission of electronic PHI is in compliance with the Security Rule. The guidance does not mention entering into a Business Associate Agreement with an email service provider, but this is one of the most important HIPAA email requirements whenever emails containing PHI are sent to any recipient.
What is HIPAA email compliance?
HIPAA email compliance means complying with the applicable standards of the HIPAA Administrative Simplification Regulations developed to protect the privacy of individually identifiable health information communicated in an email and to ensure the confidentiality, integrity, and availability of the email. Compliance with these standards does not guarantee the content of an email will remain secure, but it will mitigate the risk of impermissible disclosures and breaches of unsecured PHI.
Is it a HIPAA violation to email PHI?
It can be a HIPAA violation to email PHI if the necessary and appropriate safeguards have not been put in place to protect the privacy of PHI and comply with the Security Rule. Even if these safeguards are in place, HIPAA violations can still occur if an email contains more than the minimum necessary PHI to achieve the purpose of the email or if account credentials are misused to transmit PHI for an impermissible purpose.
Should all emails include a HIPAA compliance email disclaimer?
Emails can include a HIPAA compliance email disclaimer, but it won’t absolve the sender of a HIPAA violation if an email containing PHI is sent to the wrong recipient. Consequently, although a HIPAA email disclaimer may help reassure genuine recipients that an organization complies with the Privacy and Security Rules, it serves no other worthwhile purpose.
