Complete Guide to Sending HIPAA Compliant Emails

  • Share on Google+

When you’re a HIPAA-regulated business, usage of email gets a lot more complicated. It’s even more intricate when you want to email a Protected Health Information (PHI).

PHI can be anything that can identify an individual with information such as phone number, email address, account numbers or any uniquely identified characteristics and provide information about his/her healthcare.

As per the HIPAA regulation, entities are subjected to a minimum of $10,000 to a maximum of $25,000. So, how do healthcare providers communicate or share crucial information?

Email is convenient, it is perhaps the most common way to exchange information these days to get patient records over to other practices or to send a record to a patient who is requesting something. But, keeping email secure is tricky. 

However, sharing such vital information is suggested to be communicated through the patient portals where it has secure file transfer options. This article is for readers who cannot find any alternative rather than email as a communication medium. 

Saying this, it is also important to know where the challenge lies?


The above diagram depicts the flow of email from the server end to the recipient end. Every time mail transaction occurs for example, from the sender’s location to the sender’s server, the email traverses through the internet where attackers are usually hidden. 

A duplicate copy of the email is stored on each machine the email traverses. It is on the workstation of the sender, on the email server of the sender, on the receiver’s email server and also on the respective workstation. 

Isn’t it SCARY!

How can you shield your data from prying eyes?

Many businesses assume that because their email system uses Secure Socket Layer(SSL) or Transport Layer Security(TLS) encryption, it’s encrypted to HIPAA standards and they never give it another thought to it. Basically, SSL or TLS encryption protects the data in the email being sent from being intercepted somewhere between the sender and the receiver. But is it enough?

HIPAA says there’s more to it!

  1. Firstly, identify the receiving party before they can view the encrypted HIPAA compliant email.
  2. You need to encrypt the PHI so that they are not intercepted by any casual party. 
  3. Lastly, you need to come out with details that revoke access to the encrypted attachment when it is no longer needed, or if it was sent in error.

There is a lot more that goes into encrypting a PHI from both sender as well as receiver end. Listed below are a few checklists that you need to consider before sending a HIPAA compliant email.

1. A patient’s written consent

HIPAA grants patients control over data about themselves. It means that unencrypted transmission of PHI to a patient is possible. You need to inform the concerned patients about the risks involved in such kind of email transactions. Further, tell them that messages are not encrypted and a third party may be able to access the information and also read it since it is transmitted over the internet. 

If the patient is made aware of risks related to unencrypted mail and they provide you the consent to receive the health information through email then an entity may send the medical information via unencrypted emails. 

You need to make sure that you don’t send such emails to candidates who have not opted in. 

2. Append a privacy statement

While emailing PHI, decide whether disclosure of PHI is appropriate for the email and, if so, whether the email should reveal the extent of the PHI being transmitted. A privacy statement must be added to email reminding recipients that the email is insecure and also tells the recipient who to contact if you are not the right person. 

Speaking of privacy, if an unencrypted PC consisting of unencrypted ePHI is stolen or pilfered then it is likely that you are to be fined with a hefty amount. For instance, Massachusetts Eye and Ear Associates Inc. were fined $ 1.5 million as the ePHI of patients as well as research papers were reported to be stolen.

3. Train your staff

Only a limited number of staff members should have access to your practice’s email account. As per HIPAA section 164.312(a)(1) you need to register a unique name to identify and track the user identity. This means you need to form a unique name or identity of every staff member accessing the ePHI of the patient. 

“Preparation is the key to prevention”, you need to organize frequent training sessions to educate your staff to help them understand the risks associated while handling ePHI. Identify any risks or problems in your policies early which can help prevent future disasters. Have an external HIPAA officer audit a training to make sure that you are relaying all the information correctly. 

4. Enter into a HIPAA-compliant business associate agreement with your email provider

While using a third-party service provider, you need to make sure to obtain a business associate agreement prior to using the service for sending ePHI. The agreement outlines the responsibilities of the service provider and establishes administrative, physical, and technical safeguards that will be used to ensure the confidentiality, integrity, and availability of ePHI. 

But how would you know which one to choose?

Narrow your search for email provider with the pointers listed below:

  1. Enter with an agreement with the service providers.
  2. Make sure they have an observant customer service team for all the concerns.
  3. The encryption service should integrate with any browser or device.
  4. They should be ready to encrypt all the emails even the ones which are non-PHI without any hassle. 

5. Encrypt and secure your HIPAA compliant email with algorithms

If the PHI is mentioned in the body of the HIPAA compliant email then the message must be encrypted whereas if the PHI is in attachment then the attachment can be encrypted. Emails including PHI can’t be transmitted unless the email is encrypted using either a third-party program or encryption with AES, 3DES or similar algorithms. 

Further, you must provide alternative methods to secure the patient’s data. 

  1. Cloud-based email servers: When senders and recipients have the account on the same cloud-based server then you can choose to connect your server through HTTPS. With this, you can have an encrypted connection between you and your email server. However, it doesn’t control the email transmission from the cloud server to the recipient’s server. 
  2. Secure message portals: It would be great if your EMR systems can provide the patient’s portals to store information. Here a HIPAA compliant email can be sent to the recipient notifying they have a message on the portal. They can securely log in to the portal and view the required data. 
  3. 2-factor authentication: Although all security experts agree on the need for a strong password, 2-factor authentication serves the purpose perfectly. This is done by SMS notification or push notification, where a person using a username and password that logs into a database consisting of PHI has to insert a PIN code to confirm their identity. Additionally, a repeated PIN code will be issued with each login attempt whereas a compromised password alone will not give hacker access to secure information.

To conclude, make sure you fully understand HIPAA’s security and privacy guidelines before sending a HIPAA compliant email or receiving emails from patients. The more details you and your patients have on the safety of emails, the safer everyone’s data will be. 

Subscribe to HealthTechAdvisor

Subscribe to our email newsletter to receive article notifications and regular updates. We don't spam and your email won't be shared with third-parties.

We will only send weekly email and wont share your email address.