HIPAA Compliance For Email

Published on : 07 May 2024

HIPAA Compliance For Email

In the current era of digital technology, email has become an essential means of communication in the healthcare sector. It helps simplify processes, fosters teamwork, and enhances the quality of patient care. However, it is important that the confidential patient data is kept secure, and all communications are done as per the HIPAA compliance email procedures. 

Understanding HIPPA Compliance 

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, sets regulations regarding the use and disclosure of protected health information (PHI) in the United States. Its goals are to enhance the portability and accountability of health insurance coverage, prevent waste, fraud, and abuse in healthcare delivery, and simplify the health insurance administration. 

It is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

What is PHI? 

Protected health information (PHI) is data or information about a patient or client availing healthcare services consisting of 18 details given below:  

  1. Names
  2. All geographical subdivisions smaller than a state (street address, city, county, precinct)
  3. Birth date, admission date, discharge date, date of death
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers like license plate numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers (fingerprints, voiceprints, iris/retina scans)
  17. Full-face photographic images and comparable images
  18. Any unique identifying number, characteristic, or code

Achieving HIPPA compliance for emails 

HIPAA compliance for email can be done with the following methods: 

  • Access Controls to individuals with unique usernames and passwords to those accessing PHI data.  
  • Identification and authentication of PHI to prevent unauthorized access, modification, or accidental loss. 
  • Data encryption and decryption methods to ensure confidentiality and security. 
  • Establish policies and procedures concerning logging and monitoring to track and monitor access attempts and detect and alert failed attempts.  
  • Conducting a risk assessment and analysis to determine any risk exposure.  
  • Training staff about the access protocols, identifying and reporting malware, hacks, phishing, governance, and cyber security best practices on the potential risk exposure to the PHI data.  
  • Developing security policies and procedures that facilitate the implementation and enforcement of safeguards with penalties for non-compliance. 
  • Appointing a security officer who would oversee the implementation and enforcement of all security rules.  
  • Creating a contingency plan in place in case of an incident to ensure continuity of business. 
  • Appropriate third-party contracts and Business Associate Agreements (BAA) must be in place to ensure every party or individual having access to the PHI data complies with the HIPAA rules. 
  • Documentation and reporting of security incidents. 

Fines for HIPAA non-compliance

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA fines. Depending on the severity of the violation, they are classified into two types, civil and criminal. Here’s the breakdown:   

Civil HIPAA Fines:  

These fines are imposed on individuals or organizations who have violated the HIPAA without any malicious intent. Such acts are usually committed by those who were either neglectful or unaware of their actions. Below is the breakdown of fines: 

  •  $100 for unknowingly committing a HIPAA violation. 
  •  $1,000 if the violation was committed in willful neglect. 
  • $10,000 per violation if the act was done through willful neglect but was rectified in time. 
  • $50,000 per violation if the act was done in willful neglect and not rectified.

Criminal HIPAA Fines: 

If the individual commits a violation with malicious intent, the violation will result in criminal penalties that are significantly harsh compared to the civil penalty. The penalties in such cases may be as follows:  

  • If the individual knowingly obtained and disclosed a PHI, he may be fined up to $50,000 and jailed for up to a year. 
  • If the individual commits a violation under pretense, he may be fined up to $100,000 and jailed for up to 5 years. 
  • If the individual commits the violation for personal gains or uses it to harm the patient, he can get fined up to $250,000 and jailed for up to 10 years. 



Achieving compliance with HIPAA regulations for email communication requires a comprehensive approach that includes various elements such as technical solutions, policies and procedures, employee training, and continuous monitoring. 

By adopting robust security measures and adhering to HIPAA guidelines, healthcare organizations can ensure the confidentiality and integrity of patient information transmitted via email, thereby protecting patient privacy and maintaining regulatory compliance. 

Is your email communication HIPAA compliant? 

HIPAA Compliance is necessary for all healthcare organizations to not only protect the PHI, but it is also necessary to prevent damage to its reputation due to breaches. With VISTA InfoSec you can be rest assured that we take care of the process. We have been a part of this industry nearly since 2004 and have all the expertise and industry knowledge to guide you in the right direction. For more details, you can  email us at [email protected] 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.