Is my business email HIPAA compliant?

According to a report published by the FBI Internet Crime Complaint Center (IC3), losses resulting from attacks against business emails are 64 times more damaging than ransomware when measured by dollar amount losses. Phishing and email data breaches can be particularly damaging in the health sector. Regulatory authorities and oversight bodies are incredibly stringent when enforcing compliance measures designed to protect sensitive medical and patient data.

This article analyzes what a solid cybersecurity policy for business email entails under Health Insurance Portability and Accountability Act (HIPAA). HIPAA is the main body of U.S. legislation protecting sensitive medical and patient data.

HIPAA compliance and business email

HIPAA is a federally mandated standard for protecting sensitive medical and patient data. It outlines extensive physical, network, data, people, and process security controls required for ensuring proper data protection under the law. 

HIPAA-compliant email systems and processes comprise just one, albeit substantial, part of the compliance equation. Email is the most widely used medium for medical and healthcare communications. Therefore, its secure use and management are critical for HIPAA compliance.

Who needs to be HIPAA compliant?

HIPAA compliance extends to covered entities and business associates managing Protected Health Information (PHI) and electronic protected health information (ePHI). Doing so requires them to regularly validate their HIPAA compliance to address all existing security exposures and prevent potential violations and fines. 

Covered entities consist of parties providing treatment, managing payments, and managing healthcare operations. These entities fall within any one of the following categories:

  • Healthcare providers: Chiropractors, clinics, dentists, doctors, nursing homes, pharmacies, and psychologists
  • Health plans: Company health plans, health insurance companies, HMOs, and government programs paying for healthcare
  • Health care clearinghouses: Entities processing nonstandard health information

Business associates are also considered responsible for HIPAA compliance. These associates are service providers or professionals conducting healthcare activities or other functions on behalf of healthcare organizations. Examples of business associates that need access to PHI to perform their duties include:

  • Accountants or external auditing firms
  • Accreditation firms
  • Consulting firms 
  • Data transmission providers
  • Financial service providers
  • Legal consultants
  • Medical transcription services

HIPAA email compliance checklist

The following non-exhaustive list contains considerations for maintaining HIPAA compliance.

PHI access restrictions

In highly sensitive and regulated operating environments like medical and healthcare, workers handling and sharing patient data must follow the Principle of Least Privilege and Need to Know. Covered parties should only provide enough data and privileges required for the receiving entity to complete its objective. 

Examples of receiving entities include business associates, partners, and contractors. Additionally, any files and documents shared via email should not be attached directly but instead accessed via a link to a secure cloud service or data room.

Monitoring PHI access and use

Though HIPAA allows for an email to transfer PHI, the legislation requires covered entities to implement security controls to ensure sensitive data is sufficiently protected. Examples of these controls include:

  • Audit controls
  • Access controls
  • Integrity controls
  • Monitoring of inter-company PHI transfers
  • ID requirements for authentication

These, and other controls, reinforce accountability and ensure that only authorized personnel and entities can access PHI.

Securing PHI at rest and in transit

HIPAA mandates that emails containing PHI be secured in transit if sent outside the organization’s perimeter or protected email environment. Specifically, HIPAA references NIST Special Publications 800-52 as an authoritative guideline for PHI data security in transit. 

For PHI data security at rest, the NIST Special Publication 800-111 “Guide to Storage Encryption Technologies for End User Devices” describes the technologies necessary for securing data not being immediately accessed or used. Examples of those technologies include full disk encryption, virtual disk encryption, volume encryption, and file and folder encryption.

HIPAA business associate agreements for email

Organizations commonly rely on a third-party service such as Google Workspace to send and receive emails. In these cases, the email service provider should furnish a business associate agreement (BAA) indicating their responsibilities for ensuring the email data’s confidentiality, integrity, and availability (CIA). In the case of Google Workspace, the service does provide a comprehensive BAA.

Business email is the weakest link in the PHI security and privacy chain. And with HIPAA-related penalties at an all-time high, organizations are well-advised to validate that their business email processes and procedures are HIPAA compliant. Read our previous article, How to create an effective HIPAA policy, for more information on maintaining HIPAA compliance in your workforce’s email communications.

Related articles