Sending ePHI via E-Mail? Here Are 5 Things to Be HIPAA-Compliant

Kelsey Creehan Featured News

By Robert McDermott; President/CEO, iCoreConnect
From the Summer 2019 Journal of the Colorado Dental Association

Do the words “HIPAA compliance” make your eyes roll? When it comes to emailing Protected Health Information (PHI), HIPAA compliance doesn’t need to be complicated or pricey. Keep the following in mind.

The “big guys” aren’t HIPAA compliant right out of the box.
Using a service like Gmail, Yahoo!, or Outlook to send ePHI may seem familiar and easy, but to actually fulfill HIPAA rules, these services require you to install multi-layered modifications that eat up your time and cash. You might not know, but it’s your responsibility to acquire Business Associate Agreements (BAAs) from all your vendors. For example, if you’re using Gmail, then Google is your vendor. Google can provide BAAs, but, again, you must know to ask for them. A truly HIPAA-compliant vendor automatically provides you with this agreement.

Encryption alone does not equal compliance.
This is important! You’ll see many ePHI services, especially the free ones, advertised as “HIPAA-Compliant” because they use encryption. You need to know that encryption alone does not equal compliance.  It’s only one of the five federal HIPAA technical safeguards required by law that you have to fulfill.

What is PHI?

PHI stands for Protected Health Information.  Protected Health Information is any identifiable healthcare data about a person collected or stored by a HIPAA-covered entity or their business associates. PHI refers to physical records in your office.

Here is a sample of Protected Health Information:

  • Diagnoses
  • Treatment information
  • Medical test results
  • Prescription information
  • Gender
  • Emergency contact information
  • Birthdays
  • Ethnicity

Important to note: PHI also exists electronically as ePHI (Electronic Protected Health Information). ePHI is subject to the same HIPAA rules and refers specifically to PHI that is electronically created, stored, sent or collected.

For an in depth look at the HIPAA law click here.

The Safest Bet? Make Sure You Have These Five Things.

  1. The Best Level of Security (Including Encryption)

When you send an email with PHI, encryption protects that information by scrambling it as it travels between you and the recipient. You want the highest level of encryption possible. For example, the minimum required encryption level is 256-bit and the best encryption level is 2048-bit.

  1. Assurance You’re Emailing PHI to a Legitimate Provider

Your secure e-mail service must be able to verify that the providers you’re sending to are (1) actually who they say they are, and therefore (2) qualified to receive PHI.  For example, the e-mail service itself can automatically verify a dentist using their ADA member number.  The government recommends using an e-mail service built on the DIRECT protocol, which meets the federal standard for provider verification.

  1. Assurance No Email You Send or Receive Can Be Accessed by Others

A truly secure e-mail provider will neither be inclined nor able to access the content of your e-mails for data gathering, marketing or advertising.  The messages you send should be between you and the other provider, patient or qualified third party. On your side of things, make sure all your team members have unique, secure logins, and are automatically logged off when away from the computer.

  1. Audit Readiness

In case you get hit with a HIPAA audit (which may happen even if you’ve done nothing wrong), you’ll need to be able to immediately provide a detailed audit trail of every PHI e-mail exchanged by your practice within the last six years. That’s right—every message sent in the last six years has to be available for an audit.  If you have the right e-mail service, then breathe easy—that’s something they will automatically provide for you.

  1. Safe, Secure and Unaltered Records

To provide a six-year audit trail of all messages, your data must be safely stored where it can’t be accessed, lost or changed. You will want to make sure your back-up storage is located away from your office or home in multiple, hyper-secure locations.  That’s why many practices are moving to the cloud.  Storage in the cloud means your data is safely kept on servers at multiple secure facilities that can’t be hacked or broken into.

Too Good to Be True?

Your e-mail provider might offer services for free. It might even claim that encryption is its full security solution. But, remember, if it falls short of any of the five technical safeguard laws, then it is too good to be truly HIPAA compliant.

The CDA endorses iCoreConnect’s HIPAA-compliant e-mail service. Learn more at