is my email hippa compliant?

Posted on 2014-04-08
Last Modified: 2014-04-15
hi experts,

 I have yahoo plus email setup in outlook and I use it to email patient forms/information. Is this hippa compliant?
Question by:frankbustos
  • 2
  • 2
LVL 14

Accepted Solution

Michael Dyer earned 500 total points
Comment Utility
Email in general is not secure. There is really no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department.

Often companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.

Generally HIPAA requires three things when it comes to email:

Strong security:

According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.  One way you can do this is to zip up documents with a password and then verbally provide the password to your client.

The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.  You should have this included with your standard forms your client signs consenting to receiving medical information via email.

Business Associate Agreement:
Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. In your case, you are using Yahoo Plus.  These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.  Yahoo does not sign BAA agreements regarding email.  

So, sending any protected health information via email with Yahoo Plus would be a HIPPA violation unless it is attached to the email in an encrypted, password protected file.

Author Comment

Comment Utility
thanks michael for the details. So, what step/solution do you recommed I go with?
LVL 14

Expert Comment

by:Michael Dyer
Comment Utility
Well, your cheapest option is to use a program like Winrar ( to create zipped files with encryption and then email the encrypted file as an attachment and provide the password to your client verbally.  The other option is to use a different email service that is HIPPA compliant, but typically you have to pay a monthly service fee for those.  

HIPPA does permit faxing of patient information with the patient's consent so you could also consider just using a fax machine instead of sending email.

Author Closing Comment

Comment Utility

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Today, security is a big concern in an organization to prevent sensitive data leakage. In Outlook you can secure your Outlook items (emails, calendars, contacts and other stuff) using various techniques like by marking item as private, or you can pu…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now