HIPAA Compliant Emails Sent From your Web Site: Best Practices

January 7th, 2014

You buy a HIPAA compliant web hosting infrastructure.  You configure your web site to send out email messages in the simplest way, e.g. through PHP mail, or some other generic and standard mechanism.  You think you are all set — but you are not.

HIPAA compliant web hosting services provide a server infrastructure that allows you to be compliant; however, it doesn’t make you compliant.  Your web designers must make choices and program your site so that it properly respects ePHI.  If they do not do all the appropriate things, you will be out of compliance.  E.g. see: 7 steps to make your web site HIPAA-secure.

In particular, email messages sent in the “normal way” from a web site will go out insecurely in a way that will violate the HIPAA Security Rule if they contain ePHI of any kind.  E.g. they will not be encrypted and will not be archived.

How to Send HIPAA Compliant Email From your Web Site

So, if your web site does need to send email messages, and these will contain ePHI, you need to ensure that those messages are sent securely.  This will not happen automatically, as it will for regular locked down secure HIPAA email services.

Instead, your web designer needs to do one of two things to ensure the security of these messages.

1. Use a Third Party Service

Your designer can connect your web forms to a third party web form processing service that provides HIPAA compliant collection of your form data and HIPAA compliant emailing of that data to you (and archival of those form posts as well).  One such service is LuxSci SecureForm.

2. Send Though a Secure Email Account

If you have access to an email account that provides HIPAA-compliant outbound emailing via SMTP, your designer can connect to that account securely to send the email messages.

E.g. if your site uses PHP, the PHP mail function cannot be used as it is too simple.  Instead the PEAR Mail package allows sending through external SMTP servers with authentication and SSL.

LuxSci’s HIPAA-compliant email accounts permit this kind of mail delivery; however, like most, they do limit you on the number of messages that you can send per day.  If your web site needs to send larger numbers (hundreds or thousands) or secure email messages each day, then you need to relay your web site’s email through a HIPAA-compliant bulk email sending service, such as LuxSci Premium High Volume email.

So, secure email messages from your web site is not particularly difficult; however, you need to be sure that steps are taken to actually send these messages securely. Otherwise, you will be automatically out of compliance.  Like most web hosting solutions, it is up to you to ensure that the site is designed in a compliant way.