HIPAA. The Health Insurance Portability and Accountability Act of 1996.

Requirements of HIPAA Compliant Email

HIPAA stand for Health Insurance Portability and Accountability Act and it was introduced in 1996 by Congress in U.S. HIPAA was updated in 2013 to accommodate developments in work practices and technology adoption in the healthcare industry. Both privacy rule and security rule under HIPAA does not prohibit the use of email for sending ePHI. The thing to consider while sending ePHI through is to maintain the security, privacy and confidentiality of the data.

Are Emails HIPAA Compliant?

Today emails are convenient way to share the details and information of an individual. Though it is a fast and convenient way but at the same time keeping email secure is tricky. HIPAA asks covered entities and business associates to safeguard and protect the ePHI of an individual against unauthorized access to ePHI.

So here we can say that emails are HIPAA compliant and according to HIPAA email rules, organizations must implement access control, audit control, integrity controls, ID authentication, and transmission security in order to fulfill all security and privacy standards set by HHS. In order to protect the ePHI of an individual through email organizations must comply with following rules:

Restrict access to PHI

  1. Monitor how PHI is communicated
  2. Ensure the integrity of PHI at rest
  3. Ensure 100% message accountability, and
  4. Protect PHI from unauthorized access during transit

Any covered entity or business associate must send PHI through email using following two conditions:-

Encryption Requirements

All the ePHI sent through emails must be encrypted and user data should be protected. Many covered entities and business organizations that comply with HIPAA email policies say that encryption is sufficient to ensure HIPAA compliance for email. But many others believe that HIPAA email rules do not just cover encryption and there are other factors too. Factors like not putting the name or others details on subject line of email, unauthorized use of an email etc. should also be considered. If an email that contains PHI is sent beyond the covered entities firewall, it must be protected with encryption. The reason behind this is that encryption alone does not perform the control necessity of monitoring how PHI is shared or the ID authentication requirement to ensure message accountability.

Secure Messaging Solutions

HIPAAsupport Bring Your Own Device (BYOD) policies. Workers can use their own personal devices but under secure messaging solutions. With secure messaging solution, all activities on platform are recorded and an audit trail is maintained.


At the end it must be said the email encryption is must to send ePHI through emails and companies should make use of secure message solutions. With these two factors, covered entities and business associates can easily comply HIPAA email rules.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

© All Right Reserved by HIPAA Data Retention