Email attacks are responsible for 18.1% of healthcare breaches. When your email provider experiences a data breach involving protected health information (PHI), the provider and your organization must take action immediately by notifying your organization. Your organization will be responsible for informing impacted individuals, the Department of Health and Human Services (HHS), and possibly the media if more than 500 individuals are affected. Even if the breach originated with the provider, your organization remains liable under HIPAA and could face significant penalties if proper safeguards were not in place.
Under HIPAA, an email provider that handles PHI on your behalf is considered a business associate. Your provider must comply with HIPAA regulations, ensuring that PHI is safeguarded. As a covered entity, you must ensure that your email provider follows the HIPAA requirements by signing a business associate agreement (BAA). The BAA outlines the obligations of the provider, including security measures and breach notification protocols. However, even with a BAA, healthcare organizations are still held accountable for how PHI is handled.
Related: The consequences of not having a BAA with an email service provider
When an email provider experiences a data breach that compromises PHI, the provider and your organization have specific notification duties.
The email provider must notify your organization of the breach without unreasonable delay, usually within 60 days of discovering it. The notification should include details about the breach, such as the types of PHI involved, the individuals affected, and the steps to mitigate the damage.
After receiving the breach notice, your organization must notify the affected individuals, the Department of Health and Human Services (HHS), and, if the breach involves more than 500 individuals, the media. These notifications must also be completed within 60 days of discovering the breach.
Once a breach occurs, a thorough risk assessment is required to understand the severity and impact. The assessment should evaluate:
The results of this risk assessment will help guide your organization’s response, including whether additional notifications or mitigation steps are required.
Read more: How to perform a risk assessment
Even if the breach occurred due to your email provider’s actions, your organization remains liable under HIPAA. The Office for Civil Rights (OCR) will likely investigate the incident to ensure you took reasonable steps to prevent the breach, such as choosing a HIPAA compliant provider and conducting regular risk assessments.
Penalties can range from $100 to $50,000 per violation, with a maximum annual penalty of $1.9 million for identical violations. Your healthcare organization must take a proactive approach to compliance.
Related: HIPAA Compliant Email: The Definitive Guide
Yes, you can switch email providers, but make sure the transition is secure and the new provider signs a BAA and complies with HIPAA security standards to avoid future risks.
No, if the breach doesn’t involve your patients' PHI, your organization would not be subject to HIPAA penalties. You must still ensure the provider’s systems are secure to prevent future risks.
If PHI in attachments is compromised, the same breach notification and risk assessment rules apply. Ensuring attachments are encrypted in the future can prevent this type of breach.