HIPAA-Compliant Email Communication
Learn about security measures and best practices organizations should take to ensure HIPAA-compliant email communication
Email is a quick and easy way to communicate electronically, but it is not secure by default. That is why it is essential to ensure security measures to protect sensitive information transmitted by emails are in place. Let’s see two examples of how a patient’s data privacy and security can be compromised due to insufficient email protection measures.
In May 2021, Lafourche Medical Group, specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach involving the protected health information (PHI) of 34,862 individuals. A hacker gained access to a corporate email account containing sensitive patients’ data following a response to a phishing email that spoofed one of the medical group’s owners.
As appeared during an investigation, Lafourche Medical Group had not conducted a security risk assessment (as per HIPAA Security Rule – 45 C.F.R. § 164.308(a) and had not implemented procedures to regularly review records of information system activity (as per 45 C.F.R. § 164.308(a) of the same Rule). Insufficient implementation of HIPAA Security Rule safeguards cost the Lafourche Medical Group a $ 480,000 penalty - the first HIPAA penalty in a phishing attack investigation.
In July 2023, an Eastern Connecticut Health Network employee sent an email with the PHI of 912 patients to multiple recipients without using the blind carbon copy (BCC) function (concealing their email address from all other recipients). The Eastern Connecticut Health Network reported the incident correctly and committed to retraining employees on proper email protocol and protecting sensitive data.
Let’s examine what HIPAA-compliant email communication should look like and what security measures organizations should take to ensure the security of patients' PHI.
What is a HIPAA-Compliant Email?
HIPAA-compliant email is an email in which senders properly protect patients’ privacy and ensure their PHI’s confidentiality, integrity, and availability. The examples above demonstrate HIPAA noncompliance in healthcare email communication practices. The first demonstrates the lack of proper employee training, phishing attack prevention, and, highly possibly, sufficient authentication. The second shows how the lack of awareness of email protocols compromised the confidentiality of the PHI.
IMPORTANT! HIPAA-compliant email does not mean a fully secure and untouchable email. HIPAA compliance does not ensure you or your employees will never fall victim to a phishing attack, email compromise, or human error. Rather, it sets a minimum standard for securing email communications and helps mitigate the risks of impermissible disclosures and breaches of unsecured PHI.
The HIPAA Security Rule does not stipulate the requirements for a HIPAA-compliant email. Instead, relevant standards and implementation specifications regulate PHI handling and transmission via all communication channels, including emails.
So, let’s dive deeper into the requirements for making your email HIPAA-compliant.
The Security Rule and HIPAA Email Compliance
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information. Let’s review these safeguards and see what they say about HIPAA-compliant email communication.
Administrative safeguards for a HIPAA-compliant email
These HIPAA administrative safeguards involve policies, procedures, and processes that manage the selection, development, implementation, and maintenance of security measures to protect ePHI. Here are key administrative safeguards to consider:
- granting appropriate email account access to workforce members (e.g., users, team leaders, admins, etc.);
- establishing procedures to revoke email account access for workforce members when they leave the organization;
- conducting security awareness training for all workforce members, especially addressing secure email use and phishing attack recognition;
- creating procedures for reporting phishing attacks, login credential disclosures, and other email security incidents;
- developing and testing procedures for email backup and retrieval, emergency mode operations, and disaster recovery plans;
- ensuring that Business Associate Agreements are in place with email service providers.
Read more about HIPAA administrative safeguards to protect PHI.
Physical Safeguards for HIPAA Email Compliance
The HIPAA Physical Safeguards are highly significant for covered entities and business associates who host their email servers on-premises. Those who subscribe to hosted email services such as Google Workspace or Microsoft 365 can relax. According to a shared responsibility model, service providers are responsible for complying with physical HIPAA email security requirements, such as controlling access to where the mail server is stored, managing maintenance records for mail servers, and ensuring a continuity of service during a disaster or emergency. HIPAA-compliant hosted email service providers may also be responsible for the physical security of email backups and archives.
Whether an email service is hosted internally or outsourced to a service provider, covered entities and business associates must:
- create and maintain an inventory of devices that can access emails containing PHI;
- restrict physical access to devices that can access emails with PHI whenever practical;
- ensure devices used in public areas are positioned to prevent unauthorized users from viewing emails containing PHI;
- monitor the receipt, removal, and movement of devices with access to emails.
Read more about HIPAA physical safeguards to protect PHI.
Technical Safeguards for HIPAA Email Compliance
Compliance with technical safeguards depends on the results of a HIPAA risk assessment. This is because the risk assessments help identify areas of vulnerability that vary across organizations and thereby implement the most appropriate technical safeguards for PHI. Some of the common technical safeguards to perform to ensure a HIPAA-compliant email communication include:
- proper user authentication, including strong password and multi-factor authentication;
- access authorization, ensuring that individuals can only access PHI necessary for their job roles;
- audit controls to monitor who accesses email accounts;
- integrity controls that ensure PHI in emails is not altered without authorization, such as when using versioning control software;
- automatic logoff preventing unauthorized access to email accounts when devices are left unattended;
- encryption and transmission measures to protect the confidentiality and security of emails.
The HIPAA technical safeguards for email security are better explained below. Read more about HIPAA technical safeguards to protect PHI.
Best Practices to Ensure HIPAA Compliance in Email Communication
Encrypt emails and attachments properly
The HIPAA encryption requirements are briefly mentioned within the Technical Safeguards of the Security Rule (45 CFR §164.312), yet they are among the most critical for preserving the confidentiality of electronic Protected Health Information (ePHI). Covered entities must encrypt all emails containing PHI in transit so that only the intended recipient and authorized personnel can access the messages. When emails are sent between different domains and service providers, the end-to-end encryption cannot be guaranteed. Using a secure email option is the only way to ensure that the message is transmitted over encrypted channels.
Not all service providers offer encryption services, so using third-party encryption services is a common practice. They offer advanced encryption capabilities and generally use the highest encryption standards.
Note that even when using encryption, never include PHI in the subject line of an email. This is because subject lines cannot be encrypted, and therefore when providers put PHI in an email subject line, they risk the PHI being viewed by an unauthorized individual.
Implement strong authentication and authorization
To ensure HIPAA compliance for email services, implement strong authentication through two-factor or multi-factor authentication and enforce complex password policies. Apply role-based access control (RBAC) to restrict access based on job responsibilities. Enable detailed activity logging and employ automated monitoring tools to detect anomalies and unauthorized access attempts. These measures enhance email security and protect ePHI, ensuring that the email service meets HIPAA requirements and maintains the integrity of organizational communications.
Install anti-phishing software
Anti-phishing software is designed to detect and prevent phishing attacks. It employs a combination of techniques, including URL and content analysis, email filtering, behavioral monitoring, machine learning, and other tools.
For example, antiphishing software integrates with email systems to filter out phishing emails, often using spam filters and machine learning algorithms. It analyzes the links in emails for signs of phishing, such as redirects to suspicious websites or URLs that resemble legitimate sites but have slight misspellings (e.g., “paypa1.com” instead of “paypal.com”).
The software can check URLs against a database of known malicious (blacklist) and trusted (whitelist) websites and analyze URLs such as suspicious domain names, the use of IP addresses instead of domain names, or unusual URL patterns and other malicious patterns.
Anti-phishing software also performs behavioral analysis and detects unusual activity patterns, such as logging into a website from a new location or device.
All these functions in combination with AI and machine learning, immediate alerts, user blocking and reporting make anti-phishing software a powerful tool for securing sensitive emails.
Learn more tips to fight against phishing.
Implement SPF, DKIM, and DMARC policies
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are three key policies used to improve email security and protect against phishing and spoofing attacks. These technologies help authenticate email senders by verifying that emails come from the domain that they claim to be from. These three authentication methods are important for preventing spam, phishing attacks, and other email security risks.
- SPF helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain.
- DKIM provides a way to verify that an email message was sent from an authorized mail server and that the message content was not altered in transit.
- DMARC builds on SPF and DKIM by providing a mechanism for domain owners to publish policies on how to handle emails that fail SPF and/or DKIM checks. It also enables reporting on email authentication results.
Ensure your email service is configured correctly
Even with the most reliable email service providers, there is always a risk of misconfigurations that may lead to non-compliance and inadvertently violating HIPAA Rules. Proper configuration is always the customer’s responsibility. Verify that the email service offers features like encryption, access controls, audit logs, and data backups.
HIPAA-compliant email providers like Google and Microsoft assist covered entities by offering implementation guides to ensure their services support HIPAA compliance. So, read the guidelines accurately to configure your email services properly.
Ensuring HIPAA-compliant email communication with Planet 9 HIPAA compliance services
HIPAA-compliant email communication is only a part of an organization’s overall HIPAA compliance. Planet 9 can help address overall HIPAA compliance, including your email communication. Our experts can:
- evaluate HIPAA compliance to identify administrative, physical, and technical safeguards in place
- identify compliance gaps that may lead to HIPAA violations;
- perform a risk analysis to identify specific risks to PHI
- develop a roadmap for addressing the identified compliance gaps and risks
- assist the client in executing the roadmap.
Depending on the client’s internal resources’ expertise and availability, Planet 9 can implement the entire road map, position the client to execute it independently, or supplement the client’s team.
Contact Planet 9 to learn more about HIPAA compliance.
