A Checklist for HIPAA-Compliant Email

Email is an easy way to communicate with colleagues and patients, but it also creates the risk of exposing protected health information (PHI). This HIPAA-compliant email checklist can help physicians ensure they take the precautions necessary to secure patient information.

Does HIPAA allow providers to send PHI via email?

Simply put, yes. As a physician, you can use emails to communicate PHI to patients or other providers. 

But healthcare providers and their business associates need to take certain precautions to ensure their email use complies with HIPAA rules. 

But before we jump into the checklist for keeping your email secure, let’s review a few fundamental points about HIPAA. Remember that: 

• HIPAA (the Health Insurance Portability and Accountability Act of 1996) is the primary federal law that protects health information. 
• The HIPAA Privacy Rule covers protected health information (PHI) in any form, whereas the HIPAA Security Rule outlines requirements for handling electronic data (ePHI).
• HIPAA rules apply to covered entities, which include healthcare providers like doctors. But it also applies to business associates, like email software companies that provide services that handle ePHI. 
• When healthcare providers use software (email, cloud storage, etc.) to create, receive, maintain, transmit, or access patients’ PHI, they typically sign a Business Associate Agreement (BAA) with the service provider.
• Healthcare providers should ensure email and other software they use is HIPAA-compliant, but this doesn’t guarantee HIPAA compliance. Healthcare providers are responsible for implementing internal processes to comply with HIPAA. 

Please note: This article does not provide legal advice or recommendations based on a provider’s specific circumstances. If you have any doubts, seek expert advice and refer to the ONC’s official information about HIPAA for providers. 

HIPAA-Compliant Email Checklist

Use this checklist to brush up on best practices for keeping your email HIPAA-compliant. This list isn’t comprehensive, but if you follow these steps, you’ll be well on your way to using your email securely. 

1. Know your organization’s email policy

Healthcare organizations are “covered entities” under HIPAA, which means they must have policies and a plan for protecting PHI. If a hospital or health system employs you, review institutional guidelines for email and other software to ensure compliance.

2. Use HIPAA-compliant email software

Don’t assume you can share PHI using your general email app on your laptop or phone. While you can take steps to make most email providers HIPAA-compliant, it’s your responsibility to ensure you’re using sufficiently secure software.

Gmail and Microsoft Outlook are two of the most widely-used email providers; both can be HIPAA-compliant. 

• To use Google Workspace (which includes Gmail) with PHI, providers must sign a Business Associate Agreement with Google. 
• Microsoft provides a HIPAA BAA by default to all customers, so there’s no extra step required to use Microsoft Outlook email with PHI. 

Many third-party software solutions will make your existing email HIPAA-compliant. Popular options include Virtru and Paubox, but there are many others. 

3. Use strong passwords 

Regularly change your email username and password, and use passwords that would be difficult to guess.

4. Do a smartphone security check-up

Smartphones and tablets are now common in medicine, but mobility makes these devices more vulnerable to security risks. Ensure your mobile devices are secure by updating software regularly, avoiding unsecured WiFI networks, and using two-factor authentication. 

5. Ensure images are saved to HIPAA-compliant platforms

If patients send you pictures, ensure you don’t keep these on platforms like iCloud or Google Photos. Regularly delete clinical photos stored on your phone.

6. Check that you have the correct address before hitting “send”

This step is self-explanatory but easy to forget. Before sending an email, double-check you typed the correct address. If you haven’t contacted this person previously, message them first to confirm the address before including PHI. 

Some providers also add a signature line like the following: “This message may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe you have received this message in error, please notify the sender immediately.”