HIPAA Compliant Email is at the heart of modern medical practices. It makes administrative processes more efficient. It also saves time by automating communication (like reminding patients about appointments).
Emails also help both the provider and the patient stay connected. A staggering 93% of adult patients prefer to communicate with physicians through email!
HIPAA regulations will kick in if you send Protected Health Information (PHI) via email. You have to be very careful because HIPAA violations equal a lot of trouble.
So this begs the question, is email HIPAA compliant?
Email can be made HIPAA compliant, but you need to be careful and do it the right way.
The big mistake we see a lot of practices make is that they sign up for a “HIPAA compliant email service“ and think that their problem is solved. But it’s not that easy, as we’ll cover in this article.
Here’s another big mistake we see all the time. Practices buy “secure email” and assume that they’re HIPAA compliant.
Some "secure email" services are HIPAA compliant, but not all.
"Secure" usually means that the service uses encryption (covered below). But HIPAA compliance demands much more than encryption.
Most email providers these days offer some level of encryption as part of their standard package. But there’s a big difference between the kind of encryption that’s available for free and the kind you need in a HIPAA compliant email service.
What’s email encryption?
Encryption is a data protection tool used to shield sensitive data from prying eyes. It uses cryptography to encode raw data. So even if your email is intercepted, hackers won't be able to read it as it'll look like gibberish. This article has an excellent example of HIPAA email encryption.
Ultimately, your annual HIPAA risk analysis will help you to decide what you need to do to make your email HIPAA compliant.
In our work with practices, we typically look for email systems that check all of these boxes. We think of these as the nine must-have HIPAA email rules:
Other HIPAA compliant email best practices?
Also, it's a good idea (though not required) to get the patient to give you written consent to email them.
Lastly, add a message to each email's footer to remind them that email is inherently insecure.
The bottom line is this. More than half of the HIPAA email rules above involve encryption. If you want to make your email HIPAA compliant, encryption is critical.
What is email encryption?
Emails are encrypted in several ways, at various points in the communication process. For complete email encryption, messages have to be encrypted when they are moving from your inbox to the patient's inbox. Encryption is required when messages are stored on a desktop or on a private cloud. HIPAA also demands that emails downloaded onto computers and smartphones are encrypted.
To satisfy regulatory compliance you need to have end-to-end encryption. So practices must take reasonable steps to secure PHI on their computers. They also have to ensure protection when an email is sent all the way to the recipient’s inbox.
True end-to-end email encryption means if a hacker gets lucky and manages to intercept one of your emails, they won't be able to read it. The same applies to sensitive files saved on your computer or stored on a cloud.
Here are crucial tips to make sure that you’re using a HIPAA compliant email service.
The services listed below CAN be made HIPAA compliant with the right setup:
Free Gmail (@gmail.com) accounts can never ever be made HIPAA compliant. But the Gmail encryption with the paid version of Google email, Google Workspace, registered under a custom domain can be set up to be HIPAA compliant.
But is outlook HIPAA compliant? Like Gmail, the free version of Outlook.com can never be made HIPAA compliant. But a paid version of Microsoft365 (registered under a domain) can be set up to send and receive encrypted emails.
These email clients CAN’T be made HIPAA compliant:
If you’re using any of the providers listed above, you should switch right away to avoid HIPAA violations. In the meantime, you shouldn’t use these email accounts to send, receive, or handle PHI.
First and foremost, they’re not HIPAA compliant because they will not sign a HIPAA Business Associate Agreement (BAA).
If you look back to our nine rules above, you’ll also see that they only meet a few of them, at best. They might use something called “TLS encryption” for sending and receiving emails, but that’s not nearly enough. Transport Layer Security or TLS encryption doesn't guarantee secure delivery.
This is because the recipient’s email provider may not support TLS. So your HIPAA secure email will be downgraded and will appear as unencrypted plain text. You can learn more about TLS and encryption in this article.
These services usually don’t have the kind of logging you need to be compliant. Also, many of them haven’t invested in the kind of security necessary to make sure that their staff can’t get into the system and read your emails.
If you’re searching for a free HIPAA compliant email service, let me make it easy for you. There isn’t one!
When the stakes are high, don’t start with the cheapest HIPAA compliant email solution. Instead, approach it from the perspective of finding the best way to secure your PHI.
Lots of our clients ask if their favorite email program is HIPAA compliant.
On a computer, that could be the desktop version of Outlook, Apple Mail, Thunderbird, or any other email program.
On a smartphone, that could be Apple Mail, Outlook, Android Mail, etc.
Your favorite email program should be HIPAA compliant if it meets these criteria:
We get asked this question all the time. HIPAA compliant email providers usually encrypt all emails moving from one computer to another. But -- believe it or not -- this is not mandatory!
According to the HIPAA Security Rule, you only have to assess your need for encryption. HIPAA covered entities may not have to encrypt emails if they have an alternative (or equivalent) solution. In practice, this is hard to do and even harder to manage. And, it may not work for your practice in the long run as you continue to grow!
Here’s how we’ve seen clients avoid the use of encryption:
For most practices who want to use email, a HIPAA compliant system with a secure email add-on service is the easiest and safest way forward.
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!