October 8, 2015

Email Compliance in Healthcare: Conforming to HIPAA


Hostway Team

What are the rules when it comes to HIPAA and email, and how can healthcare providers ensure they are compliant?Email supports quick communication among those that might be worlds apart, enabling users to attach, transmit, and access messages as well as other assets. However, depending upon the industry in which the organization operates, there may be specific rules that govern the use of email. Healthcare is among the most prominent examples.

Hospitals, doctors, and other practitioners are privy to sensitive patient information that must be kept safe. Healthcare providers are increasingly using email to connect with patients and discuss medical conditions and treatments. These providers must use email in a way that is compliant with industry rules.

"So long as the proper precautions are taken, healthcare providers can leverage email in a safe way that aligns with HIPAA requirements."

For companies in the United States, the most important standard is the Health Insurance Portability and Accountability Act, or HIPAA, which outlines the proper treatment of sensitive patient details and digital records.

What does HIPAA say about email?
HIPAA guidelines don't prohibit the use of email, but ask that healthcare providers observe certain considerations when transmitting sensitive information. According to the HIPAA FAQs page, "The Privacy Rule allows covered healthcare providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message."

HIPAA also notes that when patients initiate email contact with the provider, the healthcare organization assumes the responsibility for ensuring that messages are acceptable and that the patient understands the potential risks of using an unencrypted platform. The provider can make the patient aware of these possible threats and let him or her decide whether or not to continue communicating in this manner.

The HIPAA Privacy Rule isn't the only standard that applies here, however. The Security Rule can also come into play, particularly when it comes to sending electronically protected health information, or e-PHI. According to HIPAA, "The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI." This includes not only policies, but encryption as well. Healthcare organizations must use encryption to safely transmit sensitive e-PHI over an open network.

Considerations for compliant email
While much of compliance depends upon usage, the email platform itself must also be compliant. Not all email systems are by default aligned with HIPAA guidelines. In fact, most free services, including Gmail, Yahoo Mail and others, do not have the proper protections in place for sending communications containing e-PHI, either within the body of the email or as an attachment. You should not use these within a healthcare setting.

There are hosted platforms, however, that are HIPAA-compliant. These implement top security measures, including encryption and message expiry to ensure protection of sensitive health information. A message expiry date can be attached to communications that contain e-PHI, allowing them to be remotely deleted after a certain period of time. This prevents protected data from being stored or accessed inappropriately.

But using a compliant email solution isn't just about aligning the organization with HIPAA. This strategy comes with its share of benefits as well, such as streamlined delivery of lab results, enhanced communications among doctors and staff, access to e-PHI while away from the office, and better connections with patients.

Top-tier hosting

One of the best ways to ensure compliance is to leverage the services of a hosting provider. Hostway, for instance, allows healthcare providers to have granular management control, view daily reviews of security event log files, and deploy a robust firewall and intrusion detection and prevention system.


To learn how you can migrate your email platform to a compliant environment that’s monitored 24/7/365 for security risks, contact Hostway for a free assessment today.

Stay in the Loop

Join Our Newsletter

Stay ahead of the pack with the latest news, web design advice, and digital insights, delivered straight to your inbox.
This field is for validation purposes and should be left unchanged.
© Copyright 2021 Hostway. All rights reserved.