HIPAA Regulations for Email

How To Send Emails And Be HIPAA Compliant

When the Final Omnibus Rule enacted regulations within Health Insurance Portability and Accountability Act (HIPAA) in March 2013, there was much discussion about whether the HIPAA regulations for email permitted electronic patient health information (ePHI) to be sent by standard email programs if the data within them was encrypted.

The confusion regarding how to send emails and be HIPAA compliant was further complicated by the classification of the regulations for sending ePHI by email as “addressable” (rather than “required”) – a situation which prompted us to produce a white paper – “Top 10 Considerations when Selecting a Secure Messaging Solution”.

This article intends to clear up any confusion over the HIPAA regulations for email, resolve the question of how to send emails and be HIPAA compliant, and explain when sending ePHI by email is permissible. The article should be read in conjunction with our white paper, which can be downloaded free of charge from this page.

What Do The HIPAA Regulations For Email Actually Say?

According to the US Department of Health and Human Services website, “the [HIPAA] Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”

At first glance, it would appear that sending ePHI by email is acceptable provided that the sender and the recipient have the same encryption software (hardly a practical solution), but it has to be considered that emails are copied onto routing servers while in transit, and there is no means of deleting them remotely should an unauthorized party with the same encryption software gain access to them.

Therefore, although the HIPAA regulations for email do not ban sending ePHI by email, there’s still an issue of how to send emails and remain HIPAA compliant. Furthermore, although the new legislation considered the sending of ePHI by email an “addressable” regulation, it was not intended to be an “optional” consideration – rather one which had to be complied with if organizations were to avoid severe financial penalties from a breach of ePHI.

How to Send Emails and be HIPAA Compliant

The most appropriate method of sending ePHI by email is to use a secure messaging system. These systems comply with security measures determined by the HIPAA regulations for email. The messaging system mirrors SMS functionality, with the ability to attach applicable documents, images, and other file types.

The major benefit of transmitting ePHI through one messaging system is the compatibility with various platforms and devices that healthcare employees, agents and third-party service providers use to communicate.

Case studies have shown that sending ePHI through a secure messaging system has also resulted in substantial cost-saving and efficiency-increasing benefits, which have translated into higher levels of healthcare provided to patients. These benefits include:

  • Technicians can deliver test results with secure messaging,
  • Nurse to doctor communications are enhanced with secure messaging,
  • Healthcare employees can receive ePHI “on-the-go” with secure messaging,
  • Hospital administrators can manage patient hand-offs with secure messaging, Emergency and home healthcare decisions can be made faster with secure messaging.

Let TigerText Guide You Through Sending ePHI by Email

TigerText´s secure messaging application surpasses the HIPAA regulations for emails, and enables the secure sending of ePHI via a cloud-based “on demand” platform. The application has been specifically designed to be compatible with existing messaging practices and organizational policies so that no specific training is required in order for personnel to understand how to send confidential information and be HIPAA compliant.

System administrators will be saved the task of compiling risk assessments due to the read receipts and audit logs that are generated by TigerText´s secure messaging application and be able to assign “message lifespans” to communications – or delete them remotely – to comply with the HIPAA regulations for email.

However, to be certain that your organization obtains the most appropriate secure messaging system to compliment your existing software, it is recommended that you download and read our “Top 10 Considerations when Selecting a Secure Messaging Solution” orcontact us with any questions you may have about how to send emails and be HIPAA compliant.