Home 5 Blog 5 Are you keeping your email compliant with HIPAA?

Are you keeping your email compliant with HIPAA?

by | Apr 14, 2021 | Blog

By Ron Slyker bio If you are a lab manager, you have more than likely heard the term “HIPAA compliance.” Most relate it to the protection of patient health information (PHI) within the office, but HIPAA compliance extends beyond internal communications. Ensuring email is HIPAA compliant is one of the most overlooked components of HIPAA […]

By Ron Slyker bio

If you are a lab manager, you have more than likely heard the term “HIPAA compliance.” Most relate it to the protection of patient health information (PHI) within the office, but HIPAA compliance extends beyond internal communications. Ensuring email is HIPAA compliant is one of the most overlooked components of HIPAA compliance. A common misunderstanding is that an email is secure when you are sending it. Nevertheless, if the right protective layers are not configured, this is not the case. HIPAA compliant email communication is a necessity in today’s technical environment.


Email encryption is almost always mandatory to be HIPAA compliant. Simply put, when an email is encrypted, the contents are masked to everyone but the recipient. There are two types of encryption:

Transport level: This level of encryption masks the email contents from email server to email server, or inbox to inbox. Once the email arrives in the inbox, it is no longer encrypted, letting anyone with access to the inbox the ability to read it.

End-to-end: This means the email message is always encrypted. In order to access the email contents, a user would need login credentials for access.
Most email includes transport level encryption, such as Google and Office 365. For HIPAA compliance and other industry regulations, transport level encryption does offer enough protection. Truly protecting PHI and other important information must require end-to-end encryption.

Most third-party email providers, such as GoDaddy, BlueHost or Wix, do not include any encryption, even if you access them through Outlook. To enable encryption, server settings would have to be entered manually by a qualified IT professional.

Often, in order to enable end-to-end encryption an additional service is required. There are several great encryption services that can be put in place, but there are a few things to verify when deciding which encryption service will best fit your needs.

  1. Is the encryption easy to enable or does it encrypt every email?

Some providers simply supply you with an add-on for Microsoft Outlook so you can click a button to encrypt the email, while others may look for a keyword in the subject or brackets surrounding the subject line.

Whatever service is selected, it is necessary for your employees to understand how to encrypt an email, as well as the significance of always using it when sending ePHI to make sure they are always sending HIPAA-compliant emails.

  1. Does the service also encrypt the recipient’s reply to the email?

Your patients may not know that responding to an email with PHI could leave that email visible to others. If the service does not also encrypt the recipient’s response, it is not the best option.

  1. Does the service require the recipient to login to a portal to retrieve the message? If so, does it allow the portal to be personalized?

Logging into a portal can be confusing for users, but lots of offices use them. If you do decide to make use of a portal, it is important that you personalize the login page so users feel comfortable putting in their credentials. Many medical offices use medical portals which send you a regular email letting you know they have left you a message in the patient portal in order to stay HIPAA compliant. All communication is contained within the secured portal.

  1. Does the encryption service integrate with all email providers? Is it compatible with any device or browser?

Some encryption services only function with certain email providers, making them much less effective. Furthermore, many offices use a combination of devices and browsers, so making sure they are all compatible is necessary for keeping emails compliant with HIPAA.

  1. Does the message automatically delete after a period of time?

Some encryption providers will even provide a feature, so the message is only accessible for a certain amount of time, after which the link to the encrypted message is no longer valid.

  1. Are they willing to sign an associate agreement?

Any vendor that your lab is utilizing that has potential access to PHI must sign a business associate agreement. Not having them in place will likely result in a fine.

  1. Is your email using a custom domain or are you using a gmail.com or yahoo.com account?

Most encryption services require that you have your own domain. The only way to encrypt email properly going both directions will be to use your own custom branded domain. Most reputable businesses now operate using their own domain and it adds to the authenticity of emails that are sent.

Does the email need to be encrypted? 

Below is a list of different types of emails that are commonly sent and whether they need encrypted or should be sent at all. This should help to clear up any confusion and always keep your emails HIPAA Compliant.

Internal emails: Email within the same office, using the same secure email server do not need encryption. It is important that these remain within the internal environment and not forwarded to an outside recipient unless encryption is added.

Emails to other healthcare practitioners: If the doctors are outside of your office, any email sent to them including PHI must be encrypted. You should also ensure that you are using a service that allows the recipient’s response to be encrypted as well.

Sending emails from personal email address or public domain: It is vital to never send any PHI from personal email addresses. Even if it is the doctor sending an email from their personal email address to their work email. The personal email address most likely does not have encryption enabled and would leave the PHI exposed.

Mass emails: When sending mass emails, it is important to use a mail merge feature or a HIPAA compliant application allowing mass emails to go out without others being able to see who else the email was sent to. In addition, recipients should not be able to “Reply All” in case they respond with a question including their PHI.

Replying to emails: When replying to emails that contain PHI, always ensure encryption enabled. Even if the initial sender did not encrypt their email, the response being encrypted will help limit the exposure of the PHI.

Emails directly to patients: Emails sent directly to patients should always be encrypted as well as their response. Any communication with a patient, even if it initially does not include PHI, could lead to questions concerning their health and PHI, those emails need to be encrypted to prevent exposure.

The procedures supporting HIPAA compliant email in your office should be revisited regularly. Technology is constantly changing, and HIPAA compliance is changing with it. What was considered HIPAA compliant last year, may not be considered compliant this year.

Related Posts