Kusserow on Compliance: A reminder about email compliance

The HHS Office for Civil Rights (OCR) continues to report HIPPA Privacy violations involving email transmissions. With the coming New Year, it may be advisable to review electronic patient health information (ePHI) email security, which must adhere to a specific regulatory standard. The HIPAA Security Rule introduced several requirements which must be satisfied before email communications can be considered in compliance with HIPPA. HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

Additionally, HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security in order to: (a) restrict access to PHI; (b) monitor how PHI is communicated; (c) ensure the integrity of PHI at rest; (d) ensure 10o percent message accountability; and (e) protect PHI from unauthorized access during transit. These standards extend to having a schedule for retaining, archiving, and destroying (after six years) emails containing ePHI. Furthermore, emails must be kept safe in transmissions by using encryption. Emails including PHI shouldn’t be transmitted unless the email is encrypted. If the PHI is in the body text, the message must be encrypted. The following email compliance issues should be verified:

  1. All email communications with PHI are being encrypted
  2. Emails are being monitored for compliance
  3. Data inside emails are being protected from cyberattacks
  4. Emails are being stored in an unalterable state
  5. Email retention schedules are being followed
  6. Email chain of custody standards are being followed
  7. Email access is being controlled with individual accounts and passwords
  1. Email accounts are only being used by registered users
  1. Email messages are complying with accepted professional and business practices
  2. Established log-on controlled access procedures and passwords are being followed



Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.