{"id":1333,"date":"2017-10-20T16:16:14","date_gmt":"2017-10-20T23:16:14","guid":{"rendered":"https:\/\/blog.sprucehealth.com\/?p=1333"},"modified":"2023-10-26T06:04:22","modified_gmt":"2023-10-26T13:04:22","slug":"bottom-line-hipaa-compliance-email","status":"publish","type":"post","link":"https:\/\/sprucehealth.com\/blog\/bottom-line-hipaa-compliance-email\/","title":{"rendered":"The Bottom Line on HIPAA Compliance and Your Email"},"content":{"rendered":"<p>Email is everywhere, and it&#8217;s not going away anytime soon. Social media, texting, and other forms of electronic communication have had <a href=\"https:\/\/sprucehealth.com\/blog\/modern-communication-patterns-expectations-affect-medical-practices\/\">an important and notable rise recently<\/a>, but about half of the world now uses email, and that figure is increasing.<sup>1<\/sup> In medicine, approximately 50% of patients either\u00a0use or want to use email to contact their healthcare providers, and about a third of\u00a0clinics are actually making it possible for them to do so.<sup>2,3<\/sup><\/p>\n<p>Email, however, was invented\u00a0well\u00a0before\u00a0either HIPAA\u00a0or our society&#8217;s modern appreciation for\u00a0the\u00a0importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on\u00a0healthcare communication,\u00a0which turns the situation into a powder keg.<\/p>\n<p><strong>In short, email in medicine\u00a0can be a HIPAA disaster. But it doesn&#8217;t have to be.<\/strong><\/p>\n<p>Let&#8217;s talk about the\u00a0problem and what you can do to solve it.<\/p>\n<hr \/>\n<h2>What HIPAA Compliance Demands from Email<\/h2>\n<p>If your healthcare activities are <a href=\"https:\/\/sprucehealth.com\/blog\/hipaa-compliance-apply-to-me\/\">covered by HIPAA<\/a>\u00a0and you want\u00a0to use email to store\u00a0or transmit\u00a0protected health information (PHI), then\u00a0two\u00a0important sections of\u00a0the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.<\/p>\n<p>We&#8217;ve <a href=\"https:\/\/sprucehealth.com\/blog\/easiest-complete-hipaa-compliance-checklist-youll-ever-see\/\">discussed these rules before<\/a> in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while\u00a0the Security Rule provides\u00a0additional regulations for PHI that\u00a0is in electronic form (ePHI).<\/p>\n<h3>The HIPAA Privacy Rule and email<\/h3>\n<p>When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/faq\/570\/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients\/index.html\">specific guidance<\/a>.<sup>4<\/sup> Here&#8217;s a snippet of their position:<\/p>\n<p style=\"padding-left: 30px;\"><em><strong>Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?<\/strong><\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. \u00a7 164.530(c).<\/em><\/p>\n<p>Sounds like great news! For reference,\u00a0the\u00a0<a href=\"https:\/\/www.ecfr.gov\/cgi-bin\/text-idx?SID=d9614eaf433ed3f49041777883125e47&amp;mc=true&amp;node=se45.1.164_1530&amp;rgn=div8\">45 CFR \u00a7 164.530(c)<\/a>\u00a0that they referenced is just a citation\u00a0for a section of the actual HIPAA regulations, and it simply requires that you &#8220;have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.&#8221;<\/p>\n<p>Of course, when it comes to email, the definition of an &#8220;appropriate technical safeguard&#8221; becomes important. HHS weighs in on this, as well:<sup>4<\/sup><\/p>\n<p style=\"padding-left: 30px;\"><em>Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.<\/em><\/p>\n<p>So that brings us to the Security Rule&#8230;<\/p>\n<h3>The HIPAA Security Rule and email<\/h3>\n<p>The <a href=\"https:\/\/www.ecfr.gov\/cgi-bin\/retrieveECFR?gp=&amp;SID=463722b49854ff59f05bc4a66f52c336&amp;mc=true&amp;n=pt45.1.164&amp;r=PART&amp;ty=HTML#sp45.1.164.c\">45 CFR Part 164, Subpart C<\/a>,\u00a0which HHS referenced above\u00a0is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we&#8217;re going to\u00a0assume that you already have a functioning HIPAA compliance program in place,\u00a0and\u00a0we&#8217;ll spend this section highlighting\u00a0just a few key\u00a0regulations that are especially important\u00a0when it comes to email. If you\u00a0need a more\u00a0thorough rundown on the Security Rule first, check out our earlier <a href=\"https:\/\/sprucehealth.com\/blog\/easiest-complete-hipaa-compliance-checklist-youll-ever-see\/\">complete guide to HIPAA compliance<\/a>.<\/p>\n<p>Within the Security Rule, much\u00a0of the important technical guidance shows up in\u00a0<a href=\"https:\/\/www.ecfr.gov\/cgi-bin\/retrieveECFR?gp=&amp;SID=463722b49854ff59f05bc4a66f52c336&amp;mc=true&amp;n=pt45.1.164&amp;r=PART&amp;ty=HTML#se45.1.164_1312\">45 CFR \u00a7 164.312<\/a>, a section on &#8220;technical safeguards.&#8221;<sup>5<\/sup> Let&#8217;s take an abridged look at some of this section&#8217;s requirements as they apply to email:<\/p>\n<ul>\n<li style=\"margin-bottom: 1em;\"><strong>Access control<\/strong><br \/>\nOnly those people with appropriate access rights should be able to access ePHI. This means that you should\u00a0use strict security measures\u00a0for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider&#8217;s server and travel across the Internet; if they are unencrypted, then you can&#8217;t control access to them as they pass through other servers.<\/li>\n<li style=\"margin-bottom: 1em;\"><strong>Unique user identification and identity verification<br \/>\n<\/strong>Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every\u00a0person sending\u00a0or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.<\/li>\n<li style=\"margin-bottom: 1em;\"><strong>Data integrity<\/strong><br \/>\nSystems must protect\u00a0ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.<\/li>\n<li style=\"margin-bottom: 1em;\"><strong>Encryption and decryption<\/strong><br \/>\nA\u00a0mechanism should\u00a0be used to encrypt and decrypt\u00a0ePHI. Basic email does not employ encryption.<\/li>\n<li><strong>Transmission security<\/strong><br \/>\nTechnical measures must guard against unauthorized access to\u00a0ePHI that is being transmitted. Basic email transmission\u00a0protocols include no guarantee of secure\u00a0transit.<\/li>\n<\/ul>\n<hr \/>\n<h2>How to Use Email in a HIPAA-Compliant Way<\/h2>\n<p>You\u00a0might\u00a0have noticed that the <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/faq\/570\/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients\/index.html\">HHS guidance<\/a>\u00a0discussed above suggests\u00a0that it&#8217;s okay to use email for PHI but then also\u00a0references\u00a0the HIPAA Security Rule, which includes a litany of technical requirements\u00a0that email fails to meet in a very obvious and spectacular fashion. This\u00a0seems like a contradiction, but don&#8217;t worry: there are ways to understand and reconcile it.<br \/>\n<a name=\"patientconsent\"><\/a><\/p>\n<h3>1.\u00a0Find out your patients&#8217; preferences and document their consent<\/h3>\n<p>HIPAA is big on patient freedom and control, and these factors can often take precedence over other facets of the regulation. In the HIPAA Omnibus Rule commentary, HHS states, &#8220;We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.&#8221;<sup>6<\/sup><\/p>\n<div class=\"inset-box\">\n<p>&#8220;Covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.&#8221;<br \/>\n\u2014HHS<\/p>\n<\/div>\n<p>HHS also separately notes that &#8220;an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable,&#8221; so there may actually be an <span style=\"text-decoration: underline;\">obligation<\/span> in some cases to use unencrypted email, if your practice can!<sup>4<\/sup>\u00a0In the same document, they also note that, &#8220;Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.&#8221;<\/p>\n<p>In any case, if you advise\u00a0a patient of their PHI communication options (e.g., postal mail, telephone call, email, etc.), and they indicate that they accept or even prefer email, despite its\u00a0security limitations, then you may\u00a0use email for ePHI with that patient. Other tenets of HIPAA will still apply, however,\u00a0such as the need to\u00a0limit information\u00a0sent to the minimum necessary for the situation. You should also never use basic email to\u00a0discuss PHI with another healthcare provider;\u00a0such discussions should always be fully secure.<br \/>\n<a name=\"technical\"><\/a><\/p>\n<h3>2. Beef up your email technical capabilities<\/h3>\n<p>Earlier references to &#8220;basic&#8221; email were very intentional, because email as a technology has not stood still over the past few decades. Technical features now exist in many email systems that can help you meet the requirements of the HIPAA Security Rule; the problem is just that they aren&#8217;t present everywhere. That doesn&#8217;t mean that you\u00a0shouldn&#8217;t try your best to\u00a0use\u00a0them when possible, though.<\/p>\n<div class=\"inset-box inset-box-right\">\n<p style=\"margin-bottom: 0;\">Technical features now exist in many email systems that can help you <b>meet the requirements<\/b> of the HIPAA Security Rule.<\/p>\n<\/div>\n<p>Encryption for email transmission is a good example of this, and many email services can now meet the\u00a0technical requirements that HHS has\u00a0laid out for\u00a0data in transit.<sup>7,8<\/sup> Services like Gmail, for example,\u00a0often use compliant technologies by default, such as TLS, but\u00a0<a href=\"https:\/\/transparencyreport.google.com\/safer-email\/overview\">Google&#8217;s own &#8220;safer email&#8221; report<\/a> shows that ~10% of the email it handles still cannot be encrypted with TLS due to limitations in outside email servers that are beyond its control.<\/p>\n<p>Other technical email safeguards are becoming more widespread, too,\u00a0such as SPF,\u00a0DKIM, and DMARC, which assist with sender identity verification.\u00a0Use of such technologies\u00a0still cannot be enforced in all cases, however, so you can&#8217;t count on them.<\/p>\n<p>If you absolutely must use email with fully compliant technical features, it does exist, but you and your patients will have to accept some inconvenience. A quick web search for &#8220;HIPAA-compliant email&#8221; or &#8220;secure email&#8221; will turn up dozens of eager solutions, but take note that all of them will require you to install special software or to visit specific pages to view your secure messages. You should also make sure that any solution you choose\u00a0uses\u00a0&#8220;end-to-end&#8221; encryption; that is, encryption that is present at all points\u00a0between you and your recipients. This approach will work for HIPAA compliance, but neither you nor your patients are likely\u00a0to enjoy\u00a0the often-clunky experience.<\/p>\n<h3>3. Understand &#8220;required&#8221; vs. &#8220;addressable&#8221; HIPAA regulations<\/h3>\n<p>Regulations in HIPAA are often marked as either &#8220;required&#8221; or &#8220;addressable.&#8221;\u00a0Items designated &#8220;required&#8221; are just that: non-negotiable. You have to do them.<\/p>\n<div class=\"inset-box\">\n<p style=\"margin-bottom: 0;\">&#8220;Addressable&#8221; safeguards in HIPAA introduce <b>potential flexibility<\/b> for your technology choices.<\/p>\n<\/div>\n<p>Items that are &#8220;addressable,&#8221; however, are more complex. For these regulations, you must assess whether the safeguard in question is &#8220;reasonable and appropriate&#8221; for your environment. If it is, then you must implement it. If you decide that it isn&#8217;t, however, then you\u00a0can document your reasoning and implement an alternative.<\/p>\n<p>Many of the technical safeguards specified in the HIPAA Security Rule are actually &#8220;addressable&#8221; rather than required, and this introduces\u00a0potential flexibility for your technology choices. It is always best to meet all of the regulations, of course, but if your situation absolutely requires the use of email that fails to meet an &#8220;addressable&#8221; technical requirement, you\u00a0might still be able to be\u00a0HIPAA-compliant if you thoroughly document your reasoning and\u00a0eventual alternative decisions.<br \/>\n<a name=\"baa\"><\/a><\/p>\n<h3>4. Get a business associate agreement and understand its limitations<\/h3>\n<p>HIPAA codifies the concept of a &#8220;business associate,&#8221; which is roughly any third-party that &#8220;creates, receives, maintains, or transmits&#8221; PHI on your behalf. HIPAA also specifies that you need to have a written agreement with any such organization, which is generally called a &#8220;<a href=\"https:\/\/sprucehealth.com\/blog\/hipaa-compliance-baa-care\/\">business associate agreement<\/a>&#8221; (BAA).<\/p>\n<p>Any service that you use\u00a0to email PHI will certainly qualify as your business associate, so you should make sure to sign a BAA with your email provider. Popular email providers will often make this option available, as Google does through its paid G Suite product.<\/p>\n<div class=\"inset-box inset-box-right\">\n<p style=\"margin-bottom: 0;\">Signing a BAA with an email provider <b>DOES\u00a0NOT<\/b> guarantee that your email\u00a0will be secure or HIPAA-compliant.<\/p>\n<\/div>\n<p><strong>MASSIVE WARNING:<\/strong> Signing a BAA with an email provider (e.g., Google) does not automatically make your use of email\u00a0secure or HIPAA-compliant. The BAA\u00a0typically guarantees\u00a0only that your provider will store your email in a protected, HIPAA-compliant manner; it doesn&#8217;t offer any protection for what happens to that email\u00a0when it leaves your provider&#8217;s servers en route to your patients.<\/p>\n<p>This is a commonly misunderstood point when it comes to email and service provider BAAs, and many healthcare providers have put themselves at great risk by not interpreting it correctly. From Google&#8217;s own guide, &#8220;<a href=\"https:\/\/support.google.com\/a\/answer\/3407054?hl=en\">HIPAA Compliance with G Suite<\/a>&#8220;:<sup>9<\/sup><\/p>\n<p style=\"padding-left: 30px;\"><em>If an end user wants to use the HIPAA Included Functionality to share PHI with a third party (or a third party application), some of the services may make it technically possible to do so.\u00a0However, it is the customer\u2019s responsibility to ensure that appropriate HIPAA-compliant measures are in place with any third party (or third party application) before sharing or transmitting PHI. Customers are solely responsible for determining if they require a BAA or any other data protection terms in place with a third party before sharing PHI with the third party using G Suite services or applications that integrate with them.<\/em><\/p>\n<p>What they&#8217;re saying there is that G Suite email makes it &#8220;technically possible&#8221; to send emails to your patients (&#8220;to share PHI with a third party&#8221;), but that you are responsible for any HIPAA implications of actually doing so. They&#8217;re not guaranteeing any encryption or other safeguards past their own servers, simply because they can&#8217;t, and if you use their service to send unencrypted email out to patients who didn&#8217;t consent to it, you&#8217;ll be\u00a0violating HIPAA. The BAA won&#8217;t save\u00a0you.<\/p>\n<p>Yes, you need to have a BAA with your email provider, but\u00a0a BAA alone won&#8217;t make you HIPAA-compliant.<\/p>\n<hr \/>\n<h2>Alternatives to Email<\/h2>\n<p>Email can certainly be used in a HIPAA-compliant manner, but it may not be worth the trouble. Instead, many modern communications solutions are now available specifically for healthcare, and they make HIPAA compliance simple while also enabling secure messaging, telemedicine, access logging, team collaboration, and many other advanced features that email will never\u00a0natively support.<\/p>\n<p>Of course, Spruce is one of these solutions. \ud83d\ude09<\/p>\n<p>Our software platform supports\u00a0email, too, but we think that the healthcare communication world is so much bigger and richer\u00a0than simple email. <a href=\"https:\/\/spruce.io\/app\">Check Spruce out<\/a>, and let&#8217;s figure out what your medical communication goals are and how we can help you reach them. Yes, including email, if you really want it.<\/p>\n<p><a href=\"https:\/\/spruce.io\/app\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-1274\" src=\"https:\/\/sprucehealth.com\/blog\/wp-content\/uploads\/2017\/09\/download_spruce.png\" alt=\"\" width=\"290\" height=\"64\" \/><\/a><\/p>\n<hr \/>\n<p><em>This article is part of a series of posts relating to HIPAA law and regulation. The information provided is\u00a0meant as general guidance only and is not intended to be legal advice.<\/em><\/p>\n<hr \/>\n<p><strong>References:<\/strong><\/p>\n<ol>\n<li>Radicati Group, Inc. <i>Email Statistics Report, 2017-2021 &#8211; Executive Summary<\/i>. (Radicati Group, Inc., 2017).<\/li>\n<li>Lee, J. L. <i>et al.<\/i> Patient Use of Email, Facebook, and Physician Websites to Communicate with Physicians: A National Online Survey of Retail Pharmacy Users. <i>J. Gen. Intern. Med.<\/i> <b>31,<\/b> 45\u201351 (2016).<\/li>\n<li>Steinfeld, J., Salesforce Research &amp; Harris Poll. <i>2016 Connected Patient Report: Insights Into Patient Preferences on Telemedicine, Wearables and Post-Discharge Care<\/i>. (Salesforce, 2016).<\/li>\n<li>Office for Civil Rights (OCR) &amp; U.S. Department of Health and Human Services (HHS). 570-Does HIPAA permit health care providers to use e-mail to discuss with their patients. <i>HHS.gov<\/i> (2008). Available at: http:\/\/www.hhs.gov\/hipaa\/for-professionals\/faq\/570\/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients\/. (Accessed: 23rd February 2016)<\/li>\n<li>Office for Civil Rights (OCR) &amp; U.S. Department of Health &amp; Human Services (HHS). 2006-Does the Security Rule allow for sending e-PHI in an email or over the Internet. <i>HHS.gov<\/i> (2013). Available at: https:\/\/www.hhs.gov\/hipaa\/for-professionals\/faq\/2006\/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email\/index.html. (Accessed: 18th October 2017)<\/li>\n<li>Office for Civil Rights (OCR) &amp; Department of Health and Human Services (HHS). 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. <i>Fed. Regist.<\/i> <b>78,<\/b> 5566\u20135702 (2013).<\/li>\n<li>Department of Health and Human Services (HHS). Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information. <i>Fed. Regist.<\/i> <b>74,<\/b> 19006\u201319010 (2009).<\/li>\n<li>Office for Civil Rights (OCR) &amp; U.S. Department of Health &amp; Human Services (HHS). Breach Notification Guidance. <i>HHS.gov<\/i> (2013). Available at: https:\/\/www.hhs.gov\/hipaa\/for-professionals\/breach-notification\/guidance\/index.html. (Accessed: 19th October 2017)<\/li>\n<li>HIPAA Compliance with G Suite &#8211; G Suite Administrator Help. Available at: https:\/\/support.google.com\/a\/answer\/3407054?hl=en. (Accessed: 20th October 2017)<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Email is everywhere, and it&#8217;s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing.1 In medicine, approximately 50% of patients either\u00a0use or want to use email to contact their healthcare providers, and about a third of\u00a0clinics are actually making it possible for them to do so.2,3<\/p>\n","protected":false},"author":1,"featured_media":1365,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"slim_seo":{"title":"The Bottom Line on HIPAA Compliance and Your Email - Spruce Blog","description":"Email is everywhere, and it's not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable"},"footnotes":""},"categories":[14],"tags":[26,16,41,15],"different-template":[],"class_list":["post-1333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hipaa","tag-communication","tag-compliance","tag-email","tag-hipaa"],"acf":[],"_links":{"self":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/1333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/comments?post=1333"}],"version-history":[{"count":0,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/1333\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media\/1365"}],"wp:attachment":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media?parent=1333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/categories?post=1333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/tags?post=1333"},{"taxonomy":"different-template","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/different-template?post=1333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}