The Software Developer’s Guide to HIPAA Email APIs
Are you building an application for the healthcare industry and need a HIPAA email API in order to send email from your application?
If so, then you probably know that failing to follow some basic HIPAA email rules could cost you thousands of dollars (we’ll get to that soon) and yet it is really hard to find a HIPAA compliant email API!
This is why many customers come to SocketLabs looking for a HIPAA compliant email API.
In this article, we’ll help you understand the basics of HIPAA and email — specifically how to stay compliant with HIPAA when building a healthcare application. Before we begin however, it’s important to understand that we are not lawyers and this article is not legal advice. We strongly suggest that you consult with an attorney to learn how HIPAA may affect your business.
Now let’s get started with a quick crash course on HIPAA.
What is HIPAA?
HIPAA (as many people mistakenly refer to as HIPPA) is an acronym that stands for Health Insurance Portability and Accountability Act. This US law was passed in 1996 to establish a set of privacy standards related to patients’ medical records and health information that is provided to healthcare providers, health plans, and other medical practices. Federal fines for noncompliance can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation. To avoid potential penalties, you must make an effort to stay compliant with HIPAA, especially when sending email from your healthcare application.
It’s important to understand that the HIPAA Privacy Rule protects “individually identifiable health information” and that the HIPAA Privacy Rule calls this PHI, which stands for Protected Health Information. PHI must be protected when being held or transmitted in any form, including electronic (email for example), on paper, and even when being communicated person to person orally.
What are some examples of PHI?
Examples of Protected Health Information include:
- Patient Names
- Dates — Including birthday, discharge date, death dates, etc.
- Telephone Numbers
- Social Security Numbers
- Driver’s License Information & Numbers
- Health Plan Beneficiary Numbers
- Names of Relatives
- IP Addresses
- Biometric Identifiers — Including fingerprints
- And more
It’s also important to understand the PHI can appear in a wide range of forms, including:
- Billing Information
- Appointment Scheduling Notices
- Phone Records
- MRI Scans
- Person to Person Emails
So, then what’s not considered PHI?
Examples of non-PHI include:
- Number of steps in a pedometer
- Total number of calories burned
- Blood sugar readings without personally identifiable user information (PII)
- Heart rate readings without PII (such as an account or user name)
To wrap things up:
If you’re building an application that does not store, record or transmit PHI, then you most likely do not need to be concerned with HIPAA compliance. An example of such an application is a wearable device like Fitbit.
However, if you’re building a device that stores, records, or transmits a user’s PHI data to a healthcare provider, then you need to be HIPAA compliant.
Sending HIPAA Compliant Email From Your Healthcare Application
Email APIs give software developers the ability to send, parse, and receive email from their apps. When it comes to healthcare applications, software developers need to be concerned with HIPAA compliance, especially when using a Send Email API to deliver transactional emails. This is why many software developers look for HIPAA compliant Email APIs.
How to stay HIPAA compliant when sending email:
At SocketLabs, our policy is that you should avoid sending any type of PHI through email. Most ESPs (including SocketLabs) do not yet natively support HIPAA compliant data transmission and do not offer HIPAA Email APIs.
This is because the SMTP RFC (first created in 1982) was not designed with HIPAA in mind. The SMTP RFC is the internet standard for email transmission. Since HIPAA came into existence more than ten years after email (in 1996), there wasn’t an opportunity to establish HIPAA compliant SMTP protocols.
In other words — email as we know it was never designed to be HIPAA compliant.
Even though SocketLabs doesn’t offer a HIPAA compliant email service, this shouldn’t stop you from sending email from your app, as long as you’re not sending PHI through email. If you’re concerned about being HIPAA compliant when sending email, then follow these best practices below.
Can’t Find a HIPAA Compliant Email API? Here Are a Few Best Practices
It all starts with sending encrypted email.
The first thing that you should do is focus on HIPAA email encryption. You can do this by encrypting the message body of the emails on your side.
When choosing an Email API, look for a platform that will help safeguard your messages with enforced or opportunistic Transport Layer Security (TLS). TLS is a protocol that gives senders the ability to encrypt information while in transit, to help maintain the confidentiality of the body contents of the email. If you’re a SocketLabs customer, then here’s how to check if your server is configured to use TLS.
Finally, if you’re building a medical CRM or SaaS application with downstream customers, then situations may arise when your downstream customers (i.e., medical practices) need to communicate important information to patients through email. Examples include information about recent appointments, discharge summaries, and lab results. In these situations, medical providers should almost always offer a secure download link to a patient portal rather than transmitting PHI directly through email.
A patient portal is a HIPAA compliant application that gives healthcare providers the ability to communicate with patients through a secure website. Patient portals are more suitable than email for hosting information and records that contain PHI — while email should be limited to any non-PHI marketing and transactional email.
What Type of Email Can I Send from My Healthcare Application?
Generally speaking, anything that doesn’t contain protected health information (PHI) is fair game.
This means that your healthcare application can still use our Injection API to send important transactional email like password resets and event-based notifications that do not deliver PHI to patients.
For example, if you’re building an anonymous patient survey tool (like Survey Monkey for medical practices) then you can send transactional surveys from medical practices to their patients, so long as the body contents of the email does not contain PHI or tie back to PII (accounts, IP addresses, and usernames) in your system.
You can also use our Email Tracking APIs and webhooks to track the status of delivered messages and provide in-app notifications, so long as the notifications aren’t tied to PHI or PII.
If you’ve built a CRM that gives healthcare practices the ability to send email, then here are some examples of email that medical practices can send:
- Welcome to the Practice Emails
- Appointment Reminders (so long as there’s no PHI in the email)
- Anonymous Patient Satisfaction Surveys
- Announcements for Flu Shots and Vaccines
- Weekly or Monthly Newsletters
- Promotional Emails
- Password Resets and Other Transactional Email (if you’re building a healthcare focused application)
If you’re a healthcare professional sending email on behalf of a medical provider or practice, then you can send non-PHI marketing email to patients with our email marketing tools >>
Finally, we strongly suggest that you consult with an attorney who specializes in HIPAA, especially if you’re building a healthcare application that will send any type of marketing and transactional email.
If you’d like to learn more about our suite of Email APIs, visit our Developer Hub.