What happens when your email provider experiences a breach

Email attacks are responsible for 18.1% of healthcare breaches. When your email provider experiences a data breach involving protected health information (PHI), the provider and your organization must take action immediately by notifying your organization. Your organization will be responsible for informing impacted individuals, the Department of Health and Human Services (HHS), and possibly the media if more than 500 individuals are affected. Even if the breach originated with the provider, your organization remains liable under HIPAA and could face significant penalties if proper safeguards were not in place.

The role of your email provider under HIPAA

Under HIPAA, an email provider that handles PHI on your behalf is considered a business associate. Your provider must comply with HIPAA regulations, ensuring that PHI is safeguarded. As a covered entity, you must ensure that your email provider follows the HIPAA requirements by signing a business associate agreement (BAA). The BAA outlines the obligations of the provider, including security measures and breach notification protocols. However, even with a BAA, healthcare organizations are still held accountable for how PHI is handled. 

Related: The consequences of not having a BAA with an email service provider

Data breach notification requirements

When an email provider experiences a data breach that compromises PHI, the provider and your organization have specific notification duties.

The business associate’s obligation

The email provider must notify your organization of the breach without unreasonable delay, usually within 60 days of discovering it. The notification should include details about the breach, such as the types of PHI involved, the individuals affected, and the steps to mitigate the damage.

Covered entity’s obligation

After receiving the breach notice, your organization must notify the affected individuals, the Department of Health and Human Services (HHS), and, if the breach involves more than 500 individuals, the media. These notifications must also be completed within 60 days of discovering the breach.

Conducting a post-breach risk assessment 

Once a breach occurs, a thorough risk assessment is required to understand the severity and impact. The assessment should evaluate:

• The type of PHI exposed (e.g., medical records, Social Security numbers)
• Whether the PHI was encrypted or otherwise protected
• The potential for misuse or harm
• The likelihood that the information has been accessed or used inappropriately

The results of this risk assessment will help guide your organization’s response, including whether additional notifications or mitigation steps are required.

Read more: How to perform a risk assessment

Mitigating the impact of the breach

• Notifying patients: Inform affected individuals promptly so they can protect themselves, such as by monitoring credit reports.
• Strengthening security: Review the BAA and security protocols with your email provider. If weaknesses are found, work together to enhance protections, including using encryption and access controls to prevent future breaches.

Covered entities’ liability and legal consequences

Even if the breach occurred due to your email provider’s actions, your organization remains liable under HIPAA. The Office for Civil Rights (OCR) will likely investigate the incident to ensure you took reasonable steps to prevent the breach, such as choosing a HIPAA compliant provider and conducting regular risk assessments.

Penalties can range from $100 to $50,000 per violation, with a maximum annual penalty of $1.9 million for identical violations. Your healthcare organization must take a proactive approach to compliance.

Best practices for preventing future breaches

• Choose a HIPAA compliant email provider: Ensure your provider uses encryption and robust security protocols.
• Regularly update security measures: Perform frequent risk assessments and update your email system’s security features as needed.
• Train staff: Ensure employees know HIPAA requirements and how to handle PHI securely.
• Use encryption and access controls: Protect PHI with strong encryption and limit access to authorized personnel only.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Can you switch email providers after a breach without violating HIPAA?

Yes, you can switch email providers, but make sure the transition is secure and the new provider signs a BAA and complies with HIPAA security standards to avoid future risks.

Can you be fined if your email provider's breach didn't involve your patients' PHI?

No, if the breach doesn’t involve your patients' PHI, your organization would not be subject to HIPAA penalties. You must still ensure the provider’s systems are secure to prevent future risks.

Are there specific steps to take if the breach involves email attachments with PHI?

If PHI in attachments is compromised, the same breach notification and risk assessment rules apply. Ensuring attachments are encrypted in the future can prevent this type of breach.