This article is part of a series discussing various aspects of HIPAA compliance. ProtonMail is the world’s largest secure email provider, used by millions to protect their messages. We provide HIPAA compliant email to thousands of organizations, and we created this guide to explain how to select the best HIPAA compliant email provider for your organization.
The United States’ Health Insurance Portability and Accountability Act (HIPAA) is a complex set of laws that secures patients’ protected health information (PHI). All entities that have any contact whatsoever with PHI are required to be HIPAA compliant.
The regulatory body that oversees HIPAA, the Department of Health and Human Services (HSS), divides such entities into covered entities (primary healthcare providers) and their business associates (see What is HIPAA Compliance? for more details).
Covered entities can exchange relevant PHI with other covered entities and business associates so long as the information is communicated in a HIPAA compliant way.
Any third-party service used to facilitate this communication (such as an email provider) is considered a business associate and must itself be HIPAA compliant.
What is HIPAA compliant email?
According to the Office for Civil Rights, the Security Rule requires covered entities to “implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to EPHI [electronic PHI]”.
Covered entities must carefully assess how they access the internet and how they plan to protect EPHI as it is transmitted. Once they select a solution, they must document the decision. So covered entities can send EPHI over the internet as long as adequate protections are in place.
There is no formal certification for HIPAA email compliance, so the main measure of whether an email service is HIPAA compliant is whether it follows all the regulations in the HIPAA Privacy Rule and the HIPAA Security Rule.
- Privacy Rule — Defines in detail what data constitutes PHI and explains how and when covered entities can access it. Importantly, it permits covered entities to disclose PHI to business associates that have signed a business associate agreement (BAA) contract. Business associates agree to only use PHI for the purpose originally specified by the covered entity when they sign a BAA.
- Security Rule — Defines the physical, electronic, and administrative protections that must be in place for storing, handling, and transmitting EPHI.
The Security Rule includes several provisions that are important for email HIPAA compliance:
- Covered entities must take reasonable steps to ensure that PHI in their inbox is secure.
- They must also take reasonable steps to ensure that PHI is protected in transit when sent to a recipient’s inbox.
- Once the PHI has been transmitted, it becomes the obligation of the recipient to secure it in their inbox.
- Any third-party service used to transmit PHI (i.e., the email provider) must sign a BAA contract to become a business associate.
What to look for when picking the best HIPAA compliant email provider
You should consider the following security factors in your evaluation of whether an email service you’re considering satisfies the provisions outlined above.
1. TLS encryption to secure PHI in transit
Note that the recipient’s email service must also use TLS, or the data will be exposed in plaintext. This is unlikely to be a problem if the recipient’s email provider is also HIPAA compliant. A good email service uses SSL certificates from only the most trusted certificate authorities and secures the TLS connection with robust RSA encryption.
2. AES encryption for emails stored at rest on servers
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops security and encryption standards and guidelines for the US government. Advanced Encryption Standard (AES) is a NIST-certified symmetric-key encryption standard that has no known vulnerabilities (when implemented correctly). The NIST recommends using key sizes of at least 128 bits. Stored EPHI must remain secure for at least 50 years after the patient’s death.
3. End-to-end encryption (E2EE) and digital signing of emails
Although not strictly required for HIPAA compliance, end-to-end encryption ensures that only the intended recipient can access the emails you send. This means that even the email service you use can’t access E2EE emails stored on its servers.
4. Strong physical security
A good HIPAA compliant email provider will have total control over its own servers and robust physical security measures in place to prevent unauthorized access to its servers.
5. Proper disposal of data
It is important that when a contract between a covered entity and its business associate email provider ends, all data stored on the email provider’s servers is securely deleted. The email service also must destroy all printed reports or paper copies.
ProtonMail is a HIPAA compliant email service developed by CERN scientists. It uses OpenPGP end-to-end encryption to ensure that only authorized personnel within your organization and your business associates can access PHI data.
How HIPAA compliant email protects privacy
A good HIPAA compliant email service should protect PHI in the following ways:
1. Controlled access and unique identity verification
Only authorized individuals should be able to access EPHI, so email accounts require strong access control. A good HIPAA compliant email service should require that users deploy strong passwords and two-factor authentication to secure their accounts.
Although technically not mandatory, encrypting a message while it is in transit to an email server and while it is stored on a server is, in reality, the only way to maintain HIPAA compliance. End-to-end encryption, where the email is encrypted all the way to the recipient’s inbox, even when they use an insecure third-party email service, is highly recommended.
3. Data integrity
It is important that the recipient of an email containing PHI has confidence that the email was not improperly modified in transit, and that the sender is genuinely the entity they think it is. OpenPGP and S/MIME allow the sender to digitally sign emails. Doing this guarantees the identity of the sender and provides data integrity. If the email has been tampered with in any way since it was signed, the data integrity verification will fail.
Does HIPAA compliant email require encryption?
Technically speaking, encryption is not a mandatory requirement under the Security Rule. It is classed as “an addressable implementation specification,” which means that an entity must provide compelling and fully documented reasons for its decision not to use it.
A large part of the reason that encryption was not made mandatory was a recognition of the fact that security challenges and the standards developed to meet them change so fast that legislation needs to be flexible if it is to keep up with new developments in the security field.
In the context of emails, a HIPAA compliant entity must perform a risk analysis to decide if encryption is necessary. This plan must assess all threats to the confidentiality of emails sent over the internet and describe the measures that it will take to address these risks.
In practical terms, it is very difficult to do this without encrypting all messages. HIPAA does not specify any formal requirements for the encryption that must be used for email to be HIPAA compliant, but it must meet the standards detailed in the NIST guidelines on email security.
HIPAA email violations and breaches
The most common ways in which the use of email can violate HIPAA regulations are:
1. No patient consent
The HHS states that patients are permitted to initiate unencrypted email communication with HIPAA compliant entities, but if “the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.”
HIPAA compliant entities should therefore take great care to alert patients who communicate by email of the potential risks this poses to their PHI. These entities should receive a clearly expressed preference (or at least consent) to communicate by email from the patient before they proceed.
2. No business associate agreement (BAA)
As discussed above, email providers have contact with PHI and so must sign a BAA guaranteeing that they comply with HIPAA regulations. End-to-end encrypted email services should be unable to access any emails from their own customers, but there is no guarantee that a patient will enable end-to-end encryption when sending an email. Entering text into email clients before it is encrypted is also a grey area.
Obtaining a signed BAA from your email provider is easy to do, so there is never an excuse for not doing it.
3. A BAA alone is not enough
Although a signed BAA from your email provider is essential, it is not enough to make you HIPAA compliant. The BAA only guarantees that your email provider will store your email in a secure and HIPAA compliant way. It does not protect PHI when it is transmitted via third-party email providers (for example, the ones used by your patients).
As discussed above, you can maintain HIPAA compliance by receiving patient consent to send them emails, and the use of fully end-to-end encrypted email services can help address this issue. It is important, however, to be aware of this issue and make appropriate contingency plans for it.
4. Insufficient administrative and physical safeguards
In addition to technical safeguards, it is important to have administrative systems in place to ensure that EPHI is never leaked via email. These systems can include regular internal analysis and checks on policy updates. They can also include practices such as only divulging the minimum amount of PHI required to perform a given task.
HIPAA also requires physical safeguards for PHI, which in relation to email, primarily means that workstations are secured behind locked doors and that extra care is taken to secure laptops and other devices in public spaces.
5. Insufficient staff training
Technical and administrative safeguards are well and good, but they are of little use if staff doesn’t (or doesn’t know how to) use them. Staff should be fully trained in all aspects of ensuring email communication containing PHI is secure.
6. Sending PHI to the wrong person
Probably the biggest potential “Oh no!” moment when dealing with HIPAA compliant email is the realization that you sent EPHI to the wrong person. Any such violation should be fully documented, and measures should be taken to mitigate the situation and ensure it never happens again.
7. Sending PHI by mistake
Another common simple mistake is unintentionally sending EPHI via insecure email. A strategy often employed by covered entities and business associates is to not send PHI via email at all. In theory, this removes the need to use a HIPAA compliant email service.
It is, however, all too easy to include PHI in emails, either by accident or because you are unaware that information such as personal contact details and payment details are PHI.
How to pick the best HIPAA compliant email provider (and why)
There are several encrypted messaging options that can help you achieve HIPAA compliance. However, given the sensitivity of EPHI, you want to be certain that the solution you choose inspires confidence in your patients. By selecting an easy-to-use email service that meets the criteria listed above, you will be HIPAA compliant and show your patients you take protecting their personal data seriously.
Founded by MIT and CERN scientists, ProtonMail is the world’s largest open source and end-to-end encrypted email service.
With a ProtonMail Professional account, you can create custom domain email addresses for your organization, and multiple user control levels and account types let you easily administer your organization and fine-tune security settings.
ProtonMail supports two-factor authentication, and can be accessed via any web browser, through its Android and iOS apps, or using a third-party email client, such as Outlook, Thunderbird, or Apple Mail.
ProtonMail is fully HIPAA compliant:
- You can download our Business Associate Agreement here (simply contact us if you need it signed).
- Our servers are all independently certified to adhere to ISO27001 international corporate security standards. Housed in several data centers in Switzerland, our servers employ both robust physical security measures and use AES-encrypted hard disks with multiple password layers, so data security is preserved even if our hardware is seized.
- We are very careful to properly dispose of data. If clients request physical reports, we shred them immediately after the task is over. When a BAA contract ends, we delete all data stored on our servers.
- ProtonMail uses zero-access encryption and end-to-end encryption, which means that even we can’t access any emails stored on our servers. And because we use OpenPGP, ProtonMail is interoperable with any other system or email software that supports PGP. This ensures secure end-to-end encrypted communication between users of different email providers is possible. ProtonMail also has a system for sending end-to-end encrypted emails to non-PGP users of other services.
How to send HIPAA compliant email?
1. Ensure that your email service is HIPAA compliant
2. Sign a BAA contract with them.
3. Configure your email correctly. This is not usually a concern when using ProtonMail, as all email is end-to-end encrypted until it leaves our service. Although not difficult, a little extra care is always good when sending end-to-end encrypted emails to external recipients using PGP or ProtonMails’s end-to-end encrypted email system for non-ProtonMail or PGP users.
Other email services may require a more complex setup before emails can be sent in a HIPAA compliant manner.
4. When sending emails containing PHI to recipients who use insecure third-party email services, always take great care to ensure they provide informed consent before doing so.
5. Retain all emails. The HIPAA Privacy Rule establishes a patient’s right to demand access to their own PHI, so it is important to maintain an archive of all emails in order to comply. Although HIPAA does not specify a time limit for data retention, many US state laws do. In general, a retention policy of at least 6 years is recommended.
HIPAA email compliance FAQ
Yes, but robust measures must be taken to ensure PHI sent by email is protected in accordance with the Security Rule. A key element of this is using a HIPAA compliant email service.
You should always bear in mind, however, that the recipient’s email service may not be secure. If a patient consents, you can send PHI to them by email anyway, but you should first ensure they know the implications of doing this and are aware of alternative options.
Strictly speaking, no. But in practice, yes. If encryption is not used, then the covered entity or business associate must fully explain their reasoning and document the measures it used instead. It is very hard for an email service to be HIPAA compliant without encryption.
No. The provider must implement technical, administrative, and physical safeguards to ensure PHI is secure on its service. Covered entities and business associates must ensure that EPHI sent by email cannot be deliberately accessed by any unauthorized person.