Recent events have shown us that in-person visits to the doctor’s aren’t always a viable option. The COVID-19 outbreak presented many challenges for countries all over the world and their healthcare systems. 

Electronic mail (email) remains among the top communication channels for many industries, especially healthcare, despite the popularity of social media and instant messaging platforms. According to Statista, there were four billion global email users in 2020, with approximately 306 billion emails sent and received every day worldwide. Statistics also indicate an estimated growth to 4.6 billion users and 376 billion emails in 2025. 

Email is convenient for healthcare professionals (HCPs) to communicate internally and externally, especially when faced with communication challenges with patients, or when they simply need to pass along information. But, when communicating with patients over email, is email considered a HIPAA-compliant platform where HCPs can send protected health information (PHI)?

What essential things should you know about HIPAA and email security?

Emails present an instant solution that makes perfect sense for providers and patients as most people already use email. There’s no need to search for a new channel, download an app, or set up a new system. Aside from marketing strategy implementations, email offers opportunities for medical practices to provide the following services:

• Patient consultations
• Exchange medical data with patients, colleagues, and laboratories
• Follow-up on medication
• Manage patient’s chronic conditions 
• Submit referrals
• Follow-up on insurance eligibility and payments

With the vast opportunities for medical information exchange over email, including sensitive patient data or PHI, it’s right to ask, is email safe for healthcare use? Is email HIPAA compliant?

There are required conditions for the safety of exchanging medical information with patients, staff, colleagues, and business associates over email. To grasp the fundamentals of emails and HIPAA compliance, we have to start at the beginning with how an email works.

How does email work?

To understand the security and privacy risks of email communications in healthcare, HCPs must understand how emails work. The requirements for the security of emails and their compliance to HIPAA depend on how you plan to use the email service in healthcare. 

The Email

Emails are text messages, audio and video files, graphics, animated images, or scanned or photographed documents sent and received over a network using a computing device, such as a smartphone, a tablet, or a personal computer. Network users can send emails to an individual, a group, or multiple other users that they receive through an electronic mailbox that stores and manages users’ email communications. Email recipients can view, print, save, edit, answer, forward, or otherwise react to emails they receive. 

The Email Transmission Path

An email’s transmission path begins where a user creates the email message, also known as a workstation. The user dispatches the email to a server that pushes the email to the recipient’s server. And from the recipient’s server, the recipient’s workstation pulls and saves the email for access.

The email transmission path reveals a lot of vulnerabilities to the safety and privacy of the information sent in an email. When a user sends an email to another, it passes through a network or the Internet, making it susceptible to different security threats, not to mention that each machine the email traverses saves a copy of the email — on the sender’s workstation and an email server, and the recipient’s email server and workstation. These threats range from simple accidental leaks to premeditated cybercriminal attacks. 

Fortunately, HIPAA guides healthcare providers on how to make sure electronic communications, such as emails, are safe and HIPAA-compliant.

How do you send HIPAA-compliant emails? 

The Health Insurance Portability and Accountability Act (HIPAA) promotes standards for the safety of sensitive medical data such as protected health information (PHI) when used to improve patient care and other healthcare services. 

HIPAA-covered entities and their business associates must comply with HIPAA rules to guarantee the security and privacy of PHI they exchange with patients, staff, colleagues, and other offices. HIPAA also outlines mechanisms to safeguard electronic use and sharing of PHI (ePHI), such as in emails. 

The first step in sending HIPAA-compliant emails requires covered entities to sign an agreement with the email service provider (business associate) they plan to use for healthcare delivery, clinical, and front desk functions involving ePHI. A business associate agreement (BAA) with Gmail, for example, is necessary to comply with HIPAA rules.

Signing a Business Associate Agreement With Your Email Provider

HIPAA rules and regulations require you to enter into a BAA with an email service provider if you intend to use the email service to send ePHI. 

The need for a BAA stems from the fact that your business associate — the email provider in this instance — must follow the same HIPAA standards when handling ePHI. The agreement outlines their responsibilities and ensures that they can provide mechanisms required to protect sensitive health information:

• Technical safeguards
• Administrative safeguards
• Physical safeguards

It’s important to note that a BAA isn’t optional. If the email provider doesn’t want to sign the agreement with your practice, that means they’re unable to fulfill the HIPAA requirements. Another thing to keep in mind is that you likely need to consult a lawyer specializing in medical law before you can start sending out emails containing ePHI. That is apart from needing an information technology (IT) expert to configure the emails correctly.

Because, even after you find a HIPAA-compliant email service provider and sign an agreement with them, the necessary work before you can start using emails to send PHI is far from over. There are still multiple areas you need to take care of:

1. Ensure end-to-end encryption
2. Figure out how to retain emails
3. Create strict policies and train your staff
4. Obtain patient consent

End-To-End Encryption for HIPAA-Compliant Emails

When it comes to the HIPAA Security Rule, medical data encryption is of the utmost importance. The rule states that messages must be encrypted both in transit and when stored. 

Even if a service provider can encrypt the emails you send in transit, you must also have access controls in place that guarantee only the intended recipient and the sender have access to the emails containing PHI. 

Some service providers allow you to encrypt the emails you send but not by default. In these cases, you must either:

• Manually select to have the email encrypted before sending it
• Enable the option to encrypt all emails — if such an option exists — to eliminate human error from the equation

The type of encryption is something to consider as well. Note that, as technology advances, new encryption standards become available. It’s always best to consult the National Institute of Standards and Technology (NIST) to inquire about the latest recommended email encryption standards to comply with HIPAA. 

If you don’t have a dedicated IT expert who could integrate those standards for emails, check what type of encryption the email service provider is offering before opting to use their services. 

Email Retention

Although HIPAA rules don’t specifically address email retention, they require healthcare providers to have a backup archive to separately store, access, and recover data in an emergency. That means you have to find a different solution, apart from the HIPAA-compliant email service provider, that enables you to store PHI shared via email.

You should also figure out how to retain the emails themselves from a legal standpoint. That is because individuals may request information regarding the disclosure of PHI. If there is a legal action against your practice, you may provide all the relevant email communication. 

Storing all email communication, including attachments, such as health records and visit summaries, takes a lot of storage space. Depending on the location of your practice, state laws may also require you to store the emails for a certain period, so it’s highly advisable to consult a lawyer before you send out a single email that contains PHI. 

With a comprehensive, fully HIPAA-compliant solution, like Curogram, you don’t have to stress about figuring out how to store large amounts of data. Curogram uses automatic backups on AWS (Amazon Web Services) servers, which you can easily access in an emergency. 

Create Strict Email Policies and Train Your Staff

After implementing a HIPAA-compliant email service, you need to develop strict policies that clearly define how your practice should use email and for what purposes. You should adequately train your staff to send encrypted emails under HIPAA rules and regulations. Every employee should be fully aware of their responsibilities and the consequences of data breaches. 

The law does not tolerate human errors when sending ePHI via email, so the policies you implement must guarantee that the correct information is always sent to the right recipient using the necessary encryption methods. 

Obtain Patient Consent Before Sending Emails With ePHI

Even if your emails are entirely HIPAA compliant, you can’t start sending ePHI to patients out of the blue. You must first introduce them to the dangers and risks of communicating protected health information via email and obtain their explicit, written consent. After patients accept the associated dangers with email communication, you can start sending emails containing ePHI without violating any HIPAA rules and regulations. 

Apart from all these requirements, there are two more considerations when using email to provide remote health services. Make sure to protect your email account with a strong password and two-way authentication to prevent unauthorized access. Consider including disclaimers in your emails as a means of notifying patients that the message contains ePHI, and they should view it at their discretion, rather than on a public or unsecured network. 

Non-compliance with HIPAA results in civil and criminal charges and fines or imprisonment. HIPAA email compliance saves you from federal and state penalties for HIPAA violations, and is crucial as patient and medical data safety are essential in providing the most patient-centric care and keeping a medical practice open amidst a cost-constrained industry.

What are the penalties for email HIPAA violations?

Violations/Fines

• Violations that covered entities couldn’t have avoided with reasonable care $100 – $50,000
• HIPAA violations despite reasonable care $1,000 – $50,000
• Willful neglect — corrected with reasonable time $10,000 – $50,000
• Willful neglect — not corrected $50,000 – $1,500,000

Is email really HIPAA compliant?

Debates regarding HIPAA compliance and email have been raging ever since changes to the Health Insurance Portability and Accountability Act took effect in 2013. 

Despite various interpretations, the HIPAA Security Rule clearly states that all forms of communication must accompany the “appropriate administrative, physical, and technical safeguards” to ensure the confidentiality and integrity of ePHI.

Whereas the rule doesn’t explicitly prevent healthcare providers from using email to communicate and share ePHI, it does enforce several requirements. Healthcare providers must implement access control ID authentication and provide audit, integrity, and transmission control mechanisms to:

1. Restrict access to ePHI
2. Continuously monitor how they transfer ePHI 
3. Introduce message accountability and integrity of ePHI at rest
4. Prevent unauthorized access

That suggests that, in theory, emails are HIPAA compliant when adequately configured before using them as a HIPAA-compliant communication channel. The trouble is, most consumer email providers, like Gmail and Yahoo, don’t offer sufficient security mechanisms necessary to meet the HIPAA requirements. 

Healthcare professionals must seek out email providers that offer advanced security mechanisms and enter into a BAA before email is HIPAA compliant and safe to transmit ePHI.

Curogram is a fully HIPAA compliant alternative to email.

With the complex technical and legal requirements to configure an email to be HIPAA compliant, healthcare providers are left looking for email alternatives. Fortunately, there’s Curogram.

Curogram offers a 100% secure, entirely HIPAA compliant 2-way messaging platform that enables healthcare professionals to quickly and easily interact with their patients without worrying about the underlying technical and legal aspects. Curogram also supports HIPAA-compliant staff messaging and allows you to set up a virtual clinic to admit patients online for telemedicine visits. 

Unlike emails, Curogram easily integrates with most known electronic health records (EHRs) in the United States, making it easy for your front desk to enter medical data into your system. Curogram integrates with over 700 EHRs, eliminates redundant administrative work, and allows you to focus on doing what you do best: helping people in need. 

Curogram’s telemedicine capabilities enable patients to instantly connect with their healthcare providers and receive medical care in the most convenient way possible. All they have to do is click a link that you send them in an SMS via a secure 2-way text messaging platform and spend a few minutes in the waiting room before an available doctor attends to them.

Email might seem like a quick and easy solution on paper. Still, considering the amount of time and effort necessary to guarantee your emails are HIPAA compliant, it’s miles away from being the best solution. 

Even with all the HIPAA rules and regulations taken care of, you still encounter multiple problems and hurdles when using email to communicate with patients. 

The bottom line is: email still has its uses as a communication channel, but there are far more efficient solutions for healthcare professionals that guarantee HIPAA compliant patient messaging.