be Smart.
be Secure.
Phone: 800-441-6612

Your Guide to HIPAA-Compliant Email

Questions surrounding HIPAA-compliant email and how to email safely are pervasive. As the healthcare sector becomes more technologically savvy, both patients and medical staff are becoming comfortable with conferring over email. Patients are looking to receive their health information quickly and directly to their email inboxes, which they can then access from anywhere. There’s also a huge time-saving benefit to emailing a physician to ask about a medication prescription refill, or to email a doctor’s office to inquire about an appointment. Likewise, staff rely on email systems amongst themselves to exchange patient information or to simply communicate. There are even some insurance companies that are recognizing and covering online consultations as “telemedicine.” It’s all a part of keeping healthcare more convenient and effective for everyone.

However, as convenient as email may be, it raises a number of red flags when it comes to HIPAA-compliance. Before you engage in healthcare-focused emails from patient to healthcare clinic or vice versa, find out how to ensure your email correspondence remains HIPAA-compliant.

HIPAA-compliant email

HIPAA-Compliant Email Requirements

HIPAA compliance for email applies to all Protected Health Information (PHI), defined as health-related information of an identifiable individual. Electronic Protected Health Information, or ePHI, is PHI that’s transmitted by electronic channels (e.g. the Internet) or maintained in any electronic medium (e.g. on your laptop). ePHI requires high security systems in order to protect electronically transmitted information internally and with third parties (e.g. your email provider). These regulations are in place to maintain HIPAA’s high privacy standards; they protect the healthcare information of all citizens while keeping confidentiality between doctor and patient.

It’s the legal responsibility of healthcare providers to ensure that their patients’ ePHI is secure. That means taking extra steps, installing strong email security, running regular audits, and so on, to prevent a confidentiality breach, whether unintentional (the accidental viewing of an email, for example) or malicious (such as a data hack).

There are two terms that HIPAA uses in regards to the standards that must be considered with respect to ePHI and email: required and addressable. Required means that complying with the given standard is mandatory. Addressable, which does not mean “optional,” means that the given standard must be implemented by the organization unless assessments and an in-depth risk analysis conclude that implementation is not reasonable and/or appropriate specific to a given business setting. There is a certain modicum of flexibility with addressable standards; however, there needs to be careful analysis and multiple checks to ensure that any technology implementation is and remains HIPAA-compliant.

The General Rules of the Security Standards govern the responsibilities surrounding the selection and implementation technology to address HIPAA. They allow companies the freedom to use whatever technological systems they may choose, so long as (a) these meet the standards for protecting ePHI and (b) a HIPAA Business Associate Agreement contract is established with the vendor if the technological system is outsourced. The standards range from organizational (the specific functions an organization must perform, including the development, documentation and implementation of policies and procedures) and administrative (personnel training and staff management), to physical security (workstations, building access, data storage) and the technical (audits, data checks, user authentication). See the HIPAA Checklist: What you need to do.

Things to Watch Out For

Anyone who’s worked with email for a while, or anything digital for that matter, knows at least something about keeping an email account secure. From not clicking on suspicious links, to deleting strange emails rather than directly replying, there are plenty of ways to keep your email safeguarded. However, extra preventative measures come into play when emailing healthcare information.

Here are a few threats to look out for when it comes to passing around ePHI:

  • Eavesdropping: It may not be the most sophisticated way of obtaining information, but individuals who are “near” the path your email takes through the Internet, or who have access to the servers that it flows through, can potentially read and copy your messages. The same goes for a physical risk; be sure not to access any emails with confidential information in crowded public places where people could be “looking over your shoulder.”
  • Identity theft: If your email username and password are easy to guess, you are be leaving yourself open to hackers who could access your inbox and its contents. From there, they could take over other accounts of yours at other service providers and generally impersonate your identity to the world. It’s important to change your password frequently, and ensure you’re not sharing your login information with anyone else (this includes recording it in any unprotected digital documents).
  • Opt-in email encryption: This is a huge problem for healthcare providers who must be HIPAA compliant, because remembering to “opt in” to email encryption on a message-by-message basis when it is needed is too risky. If even a single message is sent without the opt-in encryption, it could lead to a breach of the HIPAA Omnibus rule and a penalty of $50,000.

Best Practices

Now that you have a sense of what it means for email to be HIPAA-compliant, it’s time to put that knowledge to the test. Having a high level of email security and solid encryption standards are only half the battle; it’s up to healthcare providers to be vigilant about what’s digitally traveling in and out of email accounts. It’s also the responsibility of companies and hospitals to ensure that the General Rules of the Security Standards are upheld, including educating staff, running regular audits on software, and keeping up with security checks on computer terminals and in buildings.

For an extra level of protection, consider what third-party experts and auditors can do to help your company become and remain HIPAA-compliant. LuxSci provides the leading software in HIPAA-compliant email, guaranteeing the privacy of all ePHI sent within your organization, as well as to patients and other appropriate outside recipients. We provide HIPAA-compliant communications services that can fill all of your technology needs from email hosting and marketing, to web hosting and web forms, to secure texting and chat and video conferencing.

Stay Vigilant

HIPAA-compliant email requires a large amount of extra security and some training; however, the technology is affordable and easy to obtain making it easy to prevent information leaks and to keep malicious behavior out. You don’t want to risk breaching HIPAA for legal reasons, and for the confidentiality of your patients. It only takes one black mark to reduce trust in your healthcare company, so be sure to continue with checks, audits, and staff training so that all your HIPAA-practices remain up-to-date.

Find out more. Read our eBook: HIPAA-compliant email basics.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries