How do I send HIPAA-compliant lab results via email?

May 5th, 2017

A question about HIPAA-compliant transactional email from Ask Erik:

As a non-technical member of the founding team of a Health Care Startup I have a question about HIPAA-compliant email as we begin to send out lab test results to individuals and the health care providers we partner with:

“Does one dedicated email address for results distribution that is HIPAA-compliant and secure make us in compliance. ”

We have team members who communicate with our DDS clinics but they don’t distribute test results. Only I will do that through a dedicated email address.   What do we have to do to be compliant from day one of distributing test results as part of our service to our customers (primarily dentists and oral surgeons)?

I was told by the service provider of our website and email hosting services that if we made the one email address a Business Premium account using the Microsoft Secure Server, that all the other regular email addresses would be covered as well. Is this true?

Thank you for the forum to ask real life scenario questions.

Lab results to email

Hello,

There are many aspects to your question.  Lets address each one in turn:

Does one dedicated email address for results distribution that is HIPAA compliant and secure make us in compliance?

If you have a HIPAA-compliant email address and you are the only one sending these messages out, then indeed, you only need one HIPAA-compliant address for compliance.  However, you should note:

  1. HIPAA requires a unique login for every person dealing with PHI.  So, if others eventually participate in the sending, they will need their own  HIPAA-compliant email addresses.
  2. If you sending is automated, then that sending system could be considered a single unique user in and of itself.
  3. Having and using a secure email address by itself does not make you “in compliance.”  You still need to use the secure email address appropriately and follow all the other guidelines of HIPAA for your own handling of the ePHI (e.g. the lab results).  See our HIPAA-compliance checklist.

How many test results are you sending out?

If you are sending a modest number of test results each day, then a regular business email account with HIPAA compliance would be appropriate for this distribution.  However, as your system grows and your distribution climbs from 100s to 1000s to 10,000s of results each day, you will need a HIPAA-compliant bulk emailing provider.  Most HIPAA compliance services do not allow you to send large quantities of email messages each day.  You also will then have to consider other factors that accept bulk sending, such as IP reputation and deliverability.  For more information, see:

If one email address is HIPAA-compliant, are all the email addresses compliant?

It is very much up to a provider if the extend the scope of compliance to all addresses in an account.   LuxSci can and perhaps Microsoft does as well.

However, just because a provider says that your account is HIPAA-compliant, this does not mean that you are automatically protected.  You have to be sure that the provider actually includes email encryption with their service (e.g. G Suite does not include it with HIPAA accounts and Microsoft does not include it without a lot of extra cost). You need to be careful of “Quasi-Compliant” services that do not provide full compliance for your intended use of their services (e.g., actually sending sensitive email). We find it very common that providers require your users to tag a message as in need of encryption via a button press or special subject text.  This is very risky as any mistake can equal an automatic breach.  At LuxSci, we encrypt all the messages unless told otherwise — this reversal is very much better for your business’ risk profile.  See: Opt-In encryption is too risky for compliance.

In any case, please consider your business needs, risk sensitivity, and then talk to your providers to see how their services may or may not meet your needs.