HIPAA Regulations for Email

When Congress enacted additional HIPAA laws in 2013, it changed the way healthcare businesses and insurance companies approached electronic communications. At the time, industry experts questioned whether HIPAA email correspondence was covered by the regulations or even whether emails were an appropriate means of sending protected health information (PHI) electronically. To answer that question, you need to understand more about HIPAA and how it protects PHI.

What is the HIPAA Law?

HIPAA or the Health Insurance Portability and Accountability Act was initially enacted in 1996 and signed into law by Bill Clinton. The act stipulates the measures necessary to ensure protected health information is safeguarded. The HIPAA Privacy Rule, specifically, creates national standards that protect PHI. It applies to:

  • Health insurance companies
  • Health care clearinghouses
  • Health care providers

In 2013, Congress added to the PHI mandates with the Final Omnibus Rule Update, which expanded HIPAA requirements to include business associates like cloud storage services. The goal was to upgrade the security requirements to enhance the scrutiny placed on cover entities, in other words, healthcare companies that hire these business associates. What about HIPAA compliance emails, though?

How the Final Omnibus Rule Defines Compliance for Email

The language of the security rule did not keep covered entities from using email to communicate PHI, but it did establish regulations for its use, specifically:

  • There must be restricted access
  • Entities must monitor how PHI is  transmitted via the system
  • They must be able to ensure the integrity of the transmission when at rest
  • They must provide 100 percent message accountability
  • They must be able to protect the data for unauthorized access while in transit.

Encryption is a practical approach to managing the HIPAA email compliance issue, but it doesn’t go far enough. It doesn’t create an audit trail, for example, monitor the PHI or secure authentication requirements.  Besides, not all types of encryption are at the same security level. How would the sending party determine if the receivers have that encryption level deemed appropriate through risk assessment to ensure a HIPPA compliant email?

The U.S.  Department of Health and Human Service states on its website that electronic correspondence is available for the transfer of PHI, but emails must also follow HIPAA guidelines. Covered entities must control who has access to these emails and ensure the integrity of the transmission to protect them for unauthorized access.

The answer from HHS provided some insight, but it also showcased concerns about creating HIPAA compliant emails. Things like encryption and routing servers made using emails problematic. Without proper compliance, the healthcare companies could face substantial penalties.

How can Healthcare Businesses Remain HIPAA Email Compliant?

Email HIPAA compliance is no easy task, but it is possible for companies that take the proper precautions. Ideally, these entities develop a secure messaging system that will comply with HIPAA guidelines. A secure messaging platform is an adequate substitution for traditional emails

A secure messaging system works much like a conventional email platform. It is typically web-based but has the same features as an email client like:

  • Creating drafts
  • Inbox
  • Sent folder
  • Ability to Delete or mark messages
  • Allows for attachments of images, documents and other files types

Secure messaging systems are compatible with the various operating systems allowing for multiple-party communication.

What are the Benefits of a Secure Messaging System?

Besides allowing the multiple approved parties to communicate seamlessly, the secure messaging system has the potential to be cost-saving and more efficient for sending a HIPAA email.

Safe messaging works as fast as text messages. Studies show that 90 percent of text recipients open the communication within three minutes. It may take that same person up to 48 hours to open an email. This acceleration means patients and coworkers get answers that much faster.

It is also a communication tool strongly supported by patients. A 2006 study published in the International Journal of Medical Informatics states that secure messaging systems improve doctor-patient communications and, as a result, patient outcomes.

Secure messaging services have a significant industry impact, as well. They allow for better communication between nurses and doctor, home healthcare workers and primary care physicians and emergency room personnel. It provides for enhanced care coordination and seamless mobile delivery along with improved patient engagement.

The Joint Commission estimates that 80 percent of major medical errors boil down to poor communication. A secure messaging system adds another layer, a HIPAA compliant one, for the various disciplines to send orders to one another and make connections.

The one downside to a secure messaging system used to replace standard emails is storage. HIPPA laws state communications with PHI must remain available for six years. This problem would be there whether the covered entity uses a HIPAA email or a messaging system, though. It does necessitate the use of an archiving system that abides by the HIPAA regulation for business associates.

What to Look for in a Secure Messaging System?

There are many variables, but the right secure messaging system will be end-user friendly, able to streamline workflow and be efficient. All this while remaining HIPAA compliant.


Schedule a Free Demo

Learn more our about HIPAA compliant text messaging solutions and patient communication platform.

Thank you, we've received your inquiry.
Oops! Something went wrong while submitting the form.