HIPAA Compliant Transactional Email Service

In A3 of the FAQ’s in this OCR doc, it seems pretty clear that no such service is necessary. Even encryption isn’t required under the act. Just reasonable procautions in the way of verifying who you’re sending to making a reasonable effort to limit the information being transmitted. Anyone have any experience in this area?

Does the HIPAA Privacy Rule permit health care providers to use e-mail to
discuss health issues and treatment with their patients?

Yes. The Privacy Rule allows covered health care providers to communicate
electronically, such as through e-mail, with their patients, provided they apply
reasonable safeguards when doing so. See 45 C.F.R. § 164.530©. For example,
certain precautions may need to be taken when using e-mail to avoid
unintentional disclosures, such as checking the e-mail address for accuracy
before sending, or sending an e-mail alert to the patient for address confirmation
prior to sending the message. Further, while the Privacy Rule does not prohibit
the use of unencrypted e-mail for treatment-related communications between
health care providers and patients, other safeguards should be applied to
reasonably protect privacy, such as limiting the amount or type of information
disclosed through the unencrypted e-mail. In addition, covered entities will want
to ensure that any transmission of electronic protected health information is in
compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164,
Subpart C.

Source: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf

Most HIPAA compliant emails use a linkback… that is, they don’t actually send PHI in the email itself; just a link to where a patient or clinician can sign-in and access the data.

For those organizations who want to send the PHI itself in the email, they usually use email templates (so the sender doesn’t get overly zealous sharing data) and encrypted email.

Virtru and Cotap and others provided encrypted email services and bill themselves as HIPAA compliant (and presumably willing to sign a BAA).

Also, there’s at least two Meteor-based HIPAA compatible messaging platforms who may be interested in expanding into providing email services. You may want to look into Hippoverse and Team Stitch.


Thank you! I’ll be taking a look at Hippoverse and Team Stitch.