A Brief Guide to HIPAA-Compliant SMTP Relaying
Simple Mail Transfer Protocol (SMTP) is a way in which email travels across the internet. An SMTP relay is a mail server that passes on your email message to another server that can transfer your message to the intended recipient. Email providers like Gmail own and manage SMTP servers; some allow you to connect to their servers directly while others require you to send email via their webmail applications. In the latter case, providers are also safeguarding against the risk of companies sending several emails in a short period of time and engaging in spamming.
Providers that allow direct access to their SMTP servers may or may not support SMTP relaying. ‘Support’ means that you can connect to their SMTP server to send outbound email to recipients whose email is not managed by the provider (e.g., they handle email for luxsci.net addresses but not yahoo.com).
SMTP authentication versus Secure SMTP
To avoid the risk of hackers spamming users, many email providers require authentication (e.g., via a username and password) to use their SMTP servers. Some providers may go beyond SMTP authentication and offer Secure SMTP, encrypting the communication between your computer and their server using SSL/TLS protocols. This way, the contents of your email message cannot be read along the transmission channel to the SMTP relay server.
As far as sending protected health information (PHI) via email is concerned, do HIPAA Security and Privacy Rules require encryption?
Email encryption or mutual consent?
Covered entities can use unencrypted email to communicate sensitive information to patients as long as they meet mutual consent criteria, as follows:
- patients have to be informed of and understand the security compromises arising from a lack of encryption;
- patients should state in writing that they are fine receiving ePHI via unencrypted email; and
- covered entities need to maintain records of mutual consent statements, including risk warnings and written acceptance from patients.
As mutual consent email is still subject to HIPAA guidelines, you cannot send ePHI through the same email host or provider you use for unencrypted business email.
And even if you plan on encrypting emails containing PHI, you should bear certain other factors in mind, as discussed below. They also apply if you send ePHI insecurely.
Six key points to note on SMTP relaying
- Business associate agreement: You must have a Business Associate Agreement with the email provider. BAAs serve two purposes – creating liability between parties and satisfying HIPAA regulatory requirements. So, if one of the parties fails to comply, the other party may have a remedy. But, if the agreement isn’t in place or violated, then both parties will be held liable and suffer consequences.
- Audit trails and activity logging: Auditing controls should also be established to satisfy the administrative safeguards of HIPAA Security Rule. Audit trails and activity logging allows you to see where sensitive content is shared, and when necessary, revoke access at any point.
- Correct recipient: Ensure that the right individual gets the email! The right message to the wrong email is a breach, even under mutual consent. Avoid sending PHI via email unless you have verified the recipient’s address and checked that you have entered the address correctly. Use auto-fill lists and automatic forwarding with care.
- Unique user authentication: Unique user IDs and authentication are essential. You must implement procedures to verify that the person seeing the ePHI is the one claimed.
- Backups/Archives of messages: HIPAA requires you to maintain an email archival system where copies of all sent and received emails are kept in a location separate from your offices and email servers; archived email cannot be deleted or edited; the archived email cannot be downloaded, searched or read by administrators or users, and archived email is secured and kept immutable for long periods of time.
- Proper ePHI protection by you and provider: Covered entities and email providers have to adhere to the same HIPAA Security Rule requirements. Both services should have access, integrity, ID authentication and audit controls in place.
If you plan to send marketing emails to patients, they must first indicate their approval to receive marketing communications. This consent can be obtained electronically, which is more helpful than paper consent forms as it can be managed and audited conveniently. There are other requirements under the Privacy Rule with regard to email marketing. In fact, relaying any email in a HIPAA-compliant manner requires careful consideration and planning. Engaging an email service provider well-versed in HIPAA compliance is the easiest step towards establishing compliance.