email protection
Practice Compliance

HIPAA Compliance 101: Email Protection

David Bibbey, Dipl. Ac., LAc

Editor's Note: This is the first in a series of 2022 articles from David on different aspects of HIPAA compliance as they relate to acupuncture practice. Look for his next article in our April issue.


Acupuncturists must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized viewing and interception of messages. Many HIPAA-compliant email sources provide end-to-end encryption for messages, with options for installing software on your computer system; and others take care of everything remotely. Changing your email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop or device.

HIPAA-compliant email providers must ensure their product incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls, audit controls, integrity controls and authentication. PHI must be secured in transit, and HIPAA requires that providers securely retain a six-year email archive. It is also necessary for an email service provider to sign a business associate agreement with you. Only then can the email service be used.

Acupuncturists should also understand that guaranteeing HIPAA compliance for email delivery is not solely the responsibility of the service provider. The service provider must also ensure appropriate safeguards are incorporated. It is the responsibility of the acupuncturist to ensure the product is configured correctly, and that staff are properly trained on the use of email and appropriate uses and disclosures of PHI.

Having a secure email service alone will not satisfy all HIPAA requirements for email. Staff should also receive training on security awareness and be made aware of the threats that can arrive via inboxes. Technologies should also be implemented to reduce the risk of email-based attacks such as phishing. Some email service providers, but not all, scan inbound messages and block spam, malware, and phishing emails.

While HIPAA-compliant email providers encrypt all emails in transit, email encryption is not mandatory for every acupuncturist. The HIPAA Security Rule only requires providers to assess their need for encryption. An acupuncturist does not need to encrypt emails if an alternative and equivalent control is appropriate for the practice and is used instead: such as use of a secure email server located behind a firewall.

Provided a risk assessment has been conducted and the reasons for not encrypting emails have been documented, encryption would not be required. Encryption would also not be necessary when sending emails to patients who have authorized a covered entity to communicate with them via email. However, for acupuncturists who submit payment claims via email, contact other health care organizations, and refer patients, it is necessary to send emails outside the protection of the firewall. In these cases, encryption is necessary.


Author's Note: For more information related to this article, please visit www.patientdataprotection.com or call Matthew Fiorenza, data security specialist, at 352-268-5088, ext. 4.

February 2022
print pdf