What Do The HIPAA Regulations For Email Actually Say?
According to the US Department of Health and Human Services website, “the [HIPAA] Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”
At first glance, it would appear that sending ePHI by email is acceptable provided that the sender and the recipient have the same encryption software (hardly a practical solution), but it has to be considered that emails are copied onto routing servers while in transit, and there is no means of deleting them remotely should an unauthorized party with the same encryption software gain access to them.
Therefore, although the HIPAA regulations for email do not ban sending ePHI by email, there’s still an issue of how to send emails and remain HIPAA compliant. Furthermore, although the new legislation considered the sending of ePHI by email an “addressable” regulation, it was not intended to be an “optional” consideration – rather one which had to be complied with if organizations were to avoid severe financial penalties from a breach of ePHI.