How to create an effective HIPAA email policy?

| 6th Apr 2022

With data breaches at an all-time high, organizations across all industries are continuously scrambling to secure their email processes against cyber threats. The stakes are high for organizations dealing with health care and patient data. Businesses handling protected health information (PHI) are entrusted with the safety and privacy of this sensitive information. 

And when it comes to PHI and compliance law in the U.S., the Health Insurance Portability and Accountability Act (HIPAA) is the primary piece of legislation concerned with protecting patients' data privacy.

This article explores the range of concerns organizations must have when adhering to HIPAA email compliance requirements and critical items for creating an effective HIPAA email policy.


The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to standardize the protection of sensitive patient data by organizations handling PHI. HIPAA outlines various physical, network, communications, and data flow security controls required for compliance. Of course, no piece of legislation is complete without its proverbial "bite." 

The cost of non-compliance shouldn't be taken lightly, with fines increasing per impacted patient and the degree of negligence on the offending organization. For example, fines ranging from $100 to $50,000 per violation or breached record are standard, with penalties reaching millions and the possibility of criminal charges and resulting incarceration.

Who does HIPAA affect?

HIPAA impacts parties known as covered entities. These include individuals, groups, or organizations responsible for healthcare treatment, billing, payment, operations, and administration. Essentially all parties that are involved in accessing private patient data. Covered entities must protect patient data and provide individuals with specific rights vis-a-vis their healthcare data. 

Covered entities' business associates are also subject to HIPAA regulations if they engage in activities related to the protected patient health information in question. In these scenarios, covered entities must draft a written contract detailing the nature of the activity and an agreement to comply with data protection rules to bolster patients' data privacy and security. Similarly, subcontractors and other business associate types must comply with HIPAA.

The impact of HIPAA on email

Email is a common attack vector for threat actors and data thieves, so it's not surprising that much focus has been placed on this avenue of digital communications regarding HIPAA compliance. Many email vendors provide Transport Layer Security (TLS) encryption.

TLS is a critical security feature, but it doesn't provide complete HIPAA compliance. Recipients must also have this encryption integrated into their email application for communications to be 100% protected, end to end. It's worth noting that common email providers, including Outlook/Office 365, Gmail, and Yahoo Mail, don't come with HIPAA compliance in-built out of the gate.

Creating an effective email policy for HIPAA

By ensuring that their email processes are HIPAA compliant, organizations can satisfy several compliance requirements to protect patient data. The following are critical controls necessary for ensuring that emails are HIPAA compliant:

  • End-to-end email encryption: Email services typically provide baseline security and data protection. But, they may not provide more advanced security features such as end-to-end encryption. For this reason, organizations should ensure that both messages in transit and at rest are encrypted.
  • HIPAA-compliant business associate agreements with email providers: Third-party email providers are considered business associates. Therefore, they must sign and provide business associate agreements before handling electronic PHI (ePHI). This document should detail the service provider's responsibilities regarding data protection measures for administrative, physical, and technical domains.
  • Email retention policies: Patients are generally entitled to information and disclosures regarding their PHI. Providing email data and related compliance policies is crucial when demanded. That's especially true if there's legal action against the organization for potential patient data privacy violations. HIPAA mandates that covered entities must store compliance-related documentation for six years.
  • Patient consent before communications: When emailing patients and other parties with ePHI, HIPAA-covered organizations and entities must receive written patient consent to use email as a communication method before sending ePHI.
  • Policies developed with Legal: It may be worth seeking legal counsel when creating HIPAA compliant email policies, as attorneys experienced with HIPAA compliance are best qualified to draft effective HIPAA email policies.

By creating clear, comprehensive email policies and training staff on adhering to these policies, organizations are better positioned to protect their ePHI per HIPAA regulations. Errors made by healthcare staff, like mistakenly sending ePHI via an encrypted email or to unintended recipients, have resulted in numerous high-profile healthcare data breaches and related HIPAA penalties. 

Creating rules and best practices gives HIPAA-compliant organizations a platform for training or re-training and assurance that the proper measures have been implemented. That could include deploying and using HIPAA-compliant email and data encryption software solutions for built-in HIPAA compliance in one streamlined platform.