HIPAA-Compliant Email: Questions to Ask When Looking for a Provider

If your business operates in the healthcare sector or works with businesses that do, it may be dealing with electronic protected health information (ePHI). This is individually identifiable data that relates to the healthcare of patients, and it needs to be protected according to HIPAA regulations.

If your business transmits ePHI by email, then it must use a HIPAA-compliant email provider to stay compliant. These providers have the appropriate safeguards in place to help you protect sensitive data.

Finding a reliable and HIPAA-compliant provider can be mind-boggling, because the regulations are extensive and the security concepts involved are complicated. To help make the search a little bit easier, here are the questions you should be asking any potential HIPAA-compliant email providers.

Is the Provider HIPAA-compliant? Will It Sign a Business Associate Agreement with Your Organization?

This first question may seem a little obvious, but it’s important to get it out of the way. Most of the email providers that spring to mind aren’t HIPAA-compliant, such as Gmail’s free offering, Yahoo! Small Business Email, and AOL’s service.

For HIPAA-compliant email, you will generally have to look for a specialist provider that is willing to sign a business associate agreement. There are a range of smaller companies that offer this service, with variations in quality and security.

You can immediately cast aside any provider that won’t sign a business associate agreement (BAA) with your organization and focus on the HIPAA-compliant providers you find instead. Note also that some services that will sign a BAA will not actually protect the email that you send (e.g. G Suite is one example) … leaving you with the need to find a third-party company to come in and fill the gap.

What Services Does the Provider Offer?

Once you have started to narrow down your search, it’s important to look for providers that offer the basic services that your business needs. There’s no point in finding a secure and HIPAA-compliant provider if it can’t provide the basic functionality that your organization requires to work effectively. Here are some key questions to ask about the features:

  • Does the service offer webmail?         
  • Is there state of the art email filtering? (Most malware comes through email)          
  • How much storage is offered?         
  • Does it have HIPAA-compliant synchronization features between email, calendar, and contacts?         
  • How many users can it accommodate?
  • Is it easy to use?         
  • Is it flexible?         
  • Is it compatible with the other software you use, such as Office 365, G Suite, or Outlook?         
  • Does the service backup and archive your emails?
  • Does the provider offer portal pickup that lets you send secure emails to anyone with an address … no matter how insecure their current email provider is?         
  • Can the service scale alongside your business?         
  • Does the provider offer secure, high volume email sending? What’s the capacity? Is it suitable for both marketing and transactional purposes?


How Is the Provider’s Email Service Secured?

Since we’re talking about HIPAA compliance and protecting the data in emails, it’s not enough to have a full-featured service. You also need to make sure that any potential provider offers adequate security. These are some of the most important security-related questions you should be asking:

  • Which encryption protocols (S/MIME, PGP, SMTP TLS, etc.) are used?         
  • Does the service have access control and audit trails?         
  • What does the firewall configuration look like?
  • Are your server(s) isolated from other customers? i.e., do you have dedicated servers to reduce your risk?
  • Does the service offer protection from malicious email?        
  • Is email encryption an opt-in or opt-out feature?
  • How is bulk email secured?


Has the Email Provider Been Audited?

Lots of providers will make big claims, but they don’t all necessarily back them up. If you’re looking for a provider that you can trust, make sure that they do regular internal and external security reviews and penetration tests. It’s also good to ask them what actually takes place during these audits, so that you can determine how thorough they are.

Choosing the HIPAA-compliant Email Provider that’s Right for Your Business

Deciding on the best HIPAA-compliant email service isn’t easy. There’s a lot of competition and many important details that need to be looked over. If you want to simplify your search, have a look at what LuxSci has to offer.

LuxSci is a HIPAA-compliance specialist that offers a range of security-focused services. Since email is one of its core products, its service has an extensive list of features as well as flexible security, which makes it easy to use and to protect your organization’s ePHI.

This is a guest post written on behalf of LuxSci.