Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing.1 In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.2,3
Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.
In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.
Let’s talk about the problem and what you can do to solve it.
What HIPAA Compliance Demands from Email
If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.
We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).
The HIPAA Privacy Rule and email
When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance.4 Here’s a snippet of their position:
Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).
Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”
Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:4
Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
So that brings us to the Security Rule…
The HIPAA Security Rule and email
The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.
Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.”5 Let’s take an abridged look at some of this section’s requirements as they apply to email:
- Access control
Only those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.
- Unique user identification and identity verification
Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.
- Data integrity
Systems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.
- Encryption and decryption
A mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.
- Transmission security
Technical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.
How to Use Email in a HIPAA-Compliant Way
You might have noticed that the HHS guidance discussed above suggests that it’s okay to use email for PHI but then also references the HIPAA Security Rule, which includes a litany of technical requirements that email fails to meet in a very obvious and spectacular fashion. This seems like a contradiction, but don’t worry: there are ways to understand and reconcile it.
1. Find out your patients’ preferences and document their consent
HIPAA is big on patient freedom and control, and these factors can often take precedence over other facets of the regulation. In the HIPAA Omnibus Rule commentary, HHS states, “We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”6
“Covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
HHS also separately notes that “an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable,” so there may actually be an obligation in some cases to use unencrypted email, if your practice can!4 In the same document, they also note that, “Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.”
In any case, if you advise a patient of their PHI communication options (e.g., postal mail, telephone call, email, etc.), and they indicate that they accept or even prefer email, despite its security limitations, then you may use email for ePHI with that patient. Other tenets of HIPAA will still apply, however, such as the need to limit information sent to the minimum necessary for the situation. You should also never use basic email to discuss PHI with another healthcare provider; such discussions should always be fully secure.
2. Beef up your email technical capabilities
Earlier references to “basic” email were very intentional, because email as a technology has not stood still over the past few decades. Technical features now exist in many email systems that can help you meet the requirements of the HIPAA Security Rule; the problem is just that they aren’t present everywhere. That doesn’t mean that you shouldn’t try your best to use them when possible, though.
Technical features now exist in many email systems that can help you meet the requirements of the HIPAA Security Rule.
Encryption for email transmission is a good example of this, and many email services can now meet the technical requirements that HHS has laid out for data in transit.7,8 Services like Gmail, for example, often use compliant technologies by default, such as TLS, but Google’s own “safer email” report shows that ~10% of the email it handles still cannot be encrypted with TLS due to limitations in outside email servers that are beyond its control.
Other technical email safeguards are becoming more widespread, too, such as SPF, DKIM, and DMARC, which assist with sender identity verification. Use of such technologies still cannot be enforced in all cases, however, so you can’t count on them.
If you absolutely must use email with fully compliant technical features, it does exist, but you and your patients will have to accept some inconvenience. A quick web search for “HIPAA-compliant email” or “secure email” will turn up dozens of eager solutions, but take note that all of them will require you to install special software or to visit specific pages to view your secure messages. You should also make sure that any solution you choose uses “end-to-end” encryption; that is, encryption that is present at all points between you and your recipients. This approach will work for HIPAA compliance, but neither you nor your patients are likely to enjoy the often-clunky experience.
3. Understand “required” vs. “addressable” HIPAA regulations
Regulations in HIPAA are often marked as either “required” or “addressable.” Items designated “required” are just that: non-negotiable. You have to do them.
“Addressable” safeguards in HIPAA introduce potential flexibility for your technology choices.
Items that are “addressable,” however, are more complex. For these regulations, you must assess whether the safeguard in question is “reasonable and appropriate” for your environment. If it is, then you must implement it. If you decide that it isn’t, however, then you can document your reasoning and implement an alternative.
Many of the technical safeguards specified in the HIPAA Security Rule are actually “addressable” rather than required, and this introduces potential flexibility for your technology choices. It is always best to meet all of the regulations, of course, but if your situation absolutely requires the use of email that fails to meet an “addressable” technical requirement, you might still be able to be HIPAA-compliant if you thoroughly document your reasoning and eventual alternative decisions.
4. Get a business associate agreement and understand its limitations
HIPAA codifies the concept of a “business associate,” which is roughly any third-party that “creates, receives, maintains, or transmits” PHI on your behalf. HIPAA also specifies that you need to have a written agreement with any such organization, which is generally called a “business associate agreement” (BAA).
Any service that you use to email PHI will certainly qualify as your business associate, so you should make sure to sign a BAA with your email provider. Popular email providers will often make this option available, as Google does through its paid G Suite product.
Signing a BAA with an email provider DOES NOT guarantee that your email will be secure or HIPAA-compliant.
MASSIVE WARNING: Signing a BAA with an email provider (e.g., Google) does not automatically make your use of email secure or HIPAA-compliant. The BAA typically guarantees only that your provider will store your email in a protected, HIPAA-compliant manner; it doesn’t offer any protection for what happens to that email when it leaves your provider’s servers en route to your patients.
This is a commonly misunderstood point when it comes to email and service provider BAAs, and many healthcare providers have put themselves at great risk by not interpreting it correctly. From Google’s own guide, “HIPAA Compliance with G Suite“:9
If an end user wants to use the HIPAA Included Functionality to share PHI with a third party (or a third party application), some of the services may make it technically possible to do so. However, it is the customer’s responsibility to ensure that appropriate HIPAA-compliant measures are in place with any third party (or third party application) before sharing or transmitting PHI. Customers are solely responsible for determining if they require a BAA or any other data protection terms in place with a third party before sharing PHI with the third party using G Suite services or applications that integrate with them.
What they’re saying there is that G Suite email makes it “technically possible” to send emails to your patients (“to share PHI with a third party”), but that you are responsible for any HIPAA implications of actually doing so. They’re not guaranteeing any encryption or other safeguards past their own servers, simply because they can’t, and if you use their service to send unencrypted email out to patients who didn’t consent to it, you’ll be violating HIPAA. The BAA won’t save you.
Yes, you need to have a BAA with your email provider, but a BAA alone won’t make you HIPAA-compliant.
Alternatives to Email
Email can certainly be used in a HIPAA-compliant manner, but it may not be worth the trouble. Instead, many modern communications solutions are now available specifically for healthcare, and they make HIPAA compliance simple while also enabling secure messaging, telemedicine, access logging, team collaboration, and many other advanced features that email will never natively support.
Of course, Spruce is one of these solutions. 😉
Our software platform supports email, too, but we think that the healthcare communication world is so much bigger and richer than simple email. Check Spruce out, and let’s figure out what your medical communication goals are and how we can help you reach them. Yes, including email, if you really want it.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.
- Radicati Group, Inc. Email Statistics Report, 2017-2021 – Executive Summary. (Radicati Group, Inc., 2017).
- Lee, J. L. et al. Patient Use of Email, Facebook, and Physician Websites to Communicate with Physicians: A National Online Survey of Retail Pharmacy Users. J. Gen. Intern. Med. 31, 45–51 (2016).
- Steinfeld, J., Salesforce Research & Harris Poll. 2016 Connected Patient Report: Insights Into Patient Preferences on Telemedicine, Wearables and Post-Discharge Care. (Salesforce, 2016).
- Office for Civil Rights (OCR) & U.S. Department of Health and Human Services (HHS). 570-Does HIPAA permit health care providers to use e-mail to discuss with their patients. HHS.gov (2008). Available at: http://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/. (Accessed: 23rd February 2016)
- Office for Civil Rights (OCR) & U.S. Department of Health & Human Services (HHS). 2006-Does the Security Rule allow for sending e-PHI in an email or over the Internet. HHS.gov (2013). Available at: https://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html. (Accessed: 18th October 2017)
- Office for Civil Rights (OCR) & Department of Health and Human Services (HHS). 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. Fed. Regist. 78, 5566–5702 (2013).
- Department of Health and Human Services (HHS). Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information. Fed. Regist. 74, 19006–19010 (2009).
- Office for Civil Rights (OCR) & U.S. Department of Health & Human Services (HHS). Breach Notification Guidance. HHS.gov (2013). Available at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html. (Accessed: 19th October 2017)
- HIPAA Compliance with G Suite – G Suite Administrator Help. Available at: https://support.google.com/a/answer/3407054?hl=en. (Accessed: 20th October 2017)