Is your email HIPAA compliant?

<img data-attachment-id="1763" data-permalink="" data-orig-file="" data-orig-size="2200,2000" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"1"}" data-image-title="HIPAA Secure Email" data-image-description="" data-medium-file="" data-large-file="" class="alignnone size-medium wp-image-1763" src="" alt="HIPAA Secure Email" srcset=" 300w, 1024w, 165w, visit our 150w, 1800w” sizes=”(max-width: 300px) 100vw, 300px” data-recalc-dims=”1″ />

Today, email has become an ubiquitous form of communication for business. In Healthcare patients have come to expect more and more communication over the internet than through traditional means. I am often asked by doctors how secure is my email and can you use it for patient communication? With the implementation of HIPAA, the Health Insurance Portability and Accountability Act how does that affect healthcare businesses and email?


In general, is email a secure?

A: No. Unless you are employing an encrypted email solution email messages can potentially be intercepted and read. Also there is no real guarantee the person you had intended on sending the message to is the actual recipient. Once a message leaves your outbox its routed from the server to your recipients email server which may or may not be secure.


Are there any rules in HIPAA governing email?

A. Yes, there are several key requirements you must adhere to in order for your email to be HIPAA compliant.

  1. Security – You must have safeguards in place in the handling of email and who accesses email with patient sensitive. Your email system must require secure, authenticated access to email and all staff using email must comply by the HIPAA standards for PHI “Patient Health Information”. Are all staff using email at your practice aware of the HIPAA laws for PHI?
  2. Patient Consent – Patients are allowed to consent to email communications provided they are informed of the risks of their information being sent over email.
  3. Agreements – This requirement is key and often overlooked. Any email system you are using that is not running in house or is outsourced like popular Google Apps for Business or Office 365 must sign a business associate agreement with the health care provider.


What should I look for when choosing an IT Managed Services Provider to be HIPAA compliant?

  • Your Managed IT provider is willing to sign a Business Associate Agreement to protect patient confidential information to the same standards as your practice.
  • Your Managed IT provider knows and understands the requirements of HIPAA has Business Associate Agreements in place for all their vendors and partners that may be handling patient data.
  • Your Managed IT provider offers email encryption solutions to encrypt outgoing email.
  • Your Managed IT provider has off-site backup that is encrypted and has retention policies in place to keep your email for at least 7 years.



1. What exactly does HIPAA say about Email Security? –

2. Is Gmail HIPAA Compliant? –

Leave a Reply

Your email address will not be published. Required fields are marked *