HIPAA Compliance for Email


Are Emails HIPAA Compliant?

In a busy health care environment emails are convenient way to share the details and information of an individual. At the same time keeping email secure is tricky. According to HHS, the security rule does not prohibit the use of email for sending ePHI. Though, it asks covered entities and business associates to safeguard and protect the ePHI of an individual against unauthorized access to ePHI.


Fortunately, you can send ePHI via email but this has to be done in a confidential and secure way according to HHS.

Are Emails HIPAA Compliant?

According to HIPAA email rules, covered entities and business associates should implement access control, audit control, integrity controls, ID authentication, and transmission security in order to fulfill all security and privacy standards set by HHS. These rules are to be fulfilling in order to:

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Many HIPAA covered entities and health care organizations have put said that encryption is sufficient to ensure HIPAA compliance for email. But HIPAA email rules do not just cover encryption. The reason behind this is that encryption alone does not perform the control necessity of monitoring how PHI is shared or the ID authentication requirement to ensure message accountability.

Moreover, emails can be HIPAA complaint but it needs major IT resources and a ongoing monitoring process to make sure that allowed users are communicating PHI in observance with policies for HIPAA compliance for email.

HIPAA Email Encryption Requirements

HIPAA email rule says that messages sent through emails should be secured in transit if they contain ePHI and these messages are sent outside a protected internal email network, beyond the firewall. If the email network of any organization, covered entities, and business associates is behind a firewall, it is not necessary to encrypt your emails.

Encryption is required only if the emails are sent beyond an organization’s firewall. So from this, it is now clear that encryption is only one element of HIPAA compliance for email, but this element will make sure that in the event of the message being intercepted, the contents of that message cannot be read, this preventing an impermissible disclosure of ePHI. Enter into a HIPAA-compliant business associate agreement with your email provider if you use a third-party email provider.

Leave a Reply

Your email address will not be published. Required fields are marked *