The HIPAA security rule permits sending electronic protected health information (ePHI) via email or the Internet, provided safeguards are in place to protect the data. The flexibility helps healthcare providers and covered entities communicate efficiently while maintaining compliance.
Yes, the security rule does not prohibit using email to transmit ePHI. According to the U.S. Department of Health and Human Services (HHS), covered entities may use electronic communication methods, including email, as long as they meet HIPAA’s security requirements.
“The security rule allows for ePHI to be sent over an electronic open network as long as it is adequately protected,” explains the HHS. This means organizations must implement safeguards to reduce risks associated with electronic communication.
Read also: What is the HIPAA Security Rule?
HIPAA’s security rule mandates that covered entities follow specific standards to protect ePHI. These include:
Covered entities must establish procedures to ensure that only authorized individuals can access ePHI. These include using passwords, role-based access, and other mechanisms to restrict unauthorized access.
Organizations are required to implement measures that protect ePHI from being altered or destroyed improperly. Ensuring data integrity is fundamental when transmitting sensitive health information.
Policies and procedures must be in place to protect ePHI from unauthorized access during transmission, including using encryption and integrity controls when appropriate.
Related: What are administrative, physical, and technical safeguards?
Under the security rule, some specifications—such as encryption—are categorized as "addressable." This means that covered entities must assess whether encryption is reasonable and appropriate for their specific situation. If encryption is not used, the organization must document its decision and implement alternative measures to protect ePHI.
The HHS advises, “Covered entities must assess their use of open networks, identify the available and appropriate means to protect ePHI as it is transmitted, select a solution, and document the decision.”
Read more: What is the difference between addressable and required implementation specifications?
To ensure compliance, healthcare organizations should:
Sending ePHI via email or the Internet is permissible under HIPAA, but it requires careful planning and implementation of safeguards. Covered entities must evaluate their communication practices, adopt appropriate measures, and document their efforts to protect sensitive health information. Healthcare organizations can maintain compliance and safeguard patient privacy by following these steps.
The security rule is part of HIPAA that sets standards to protect electronic protected health information (ePHI). It requires healthcare organizations to use safeguards like encryption, secure access controls, and regular monitoring to keep ePHI safe from unauthorized access or breaches.
ePHI stands for electronic protected health information. It includes any health-related data that can identify a patient and is created, stored, or transmitted electronically, such as medical records, billing information, or lab results.
HIPAA compliant email is a secure email service designed to meet HIPAA’s requirements for protecting ePHI. It uses encryption, access controls, and secure transmission methods to ensure sensitive health information is shared safely and only with authorized recipients.
Learn more: HIPAA Compliant Email: The Definitive Guide