Question: Is there a HIPAA-compliant way for an employer to access HIPAA-secure email accounts in the case of an employee's absence, death, or termination?
Answer:
The HIPAA rules don’t specifically address a HIPAA regulated employer’s access to an employee’s HIPAA-secure email in the case of absences, death, or terminations. As a covered entity or business associate, the general principles are as follows:
- The employer’s access is allowed for specific HIPAA permitted purposes (e.g., treatment, payment, healthcare operations) and must follow the minimum necessary rule (45 CFR §164.501, §164.502(b), §164.514(d)); and,
- The employer must maintain technical and administrative controls to safeguard the PHI contained in the email (45 CFR §164.308, §164.312).
Beyond HIPAA, if the email contains non-PHI, HIPAA doesn’t restrict access, but the employer’s workplace policies and applicable state laws may apply. For example, if the email system is employer-owned, the employer may have a general right to access it under its employment policies or applicable state law (e.g., “no expectation of privacy”), but this doesn’t override HIPAA if PHI is involved.
Below are 4 ways to help your customer balance operational needs with HIPAA requirements.
1. Administrative Access
Administrative access is one available method. In this case, the employer’s IT admin (whether it be their employees or their outsourced IT via a BAA) uses high-level admin credentials to access the employee’s HIPAA-secure email account, review or extract the necessary PHI, and ensure the account is secured upon completion of the task.
To be compliant, administrative access must:
- be tied to a HIPAA permitted purpose (e.g., treatment, payment, healthcare operations) (45 CFR §164.502(b));
- only be given to a designated, authorized HIPAA trained staff or workforce member (45 CFR §164.308(a)(4));
- be limited to the minimum necessary PHI required to accomplish the permitted purpose (45 CFR §164.502(b)); and,
- be logged in both system logs and manual access logs (45 CFR §164.312(b), §164.308(a)(1)(ii)(D)).
For terminations, the HIPAA Security Rule requires terminating the former employee’s access immediately and ensuring the account containing the PHI remains secure (45 CFR §164.308(a)(3)(ii)(C)).
For terminations and deaths, following the completion of the task, the email account must be secured (e.g., encrypted archive or locking it) to safeguard the PHI contained therein.
The employer’s HIPAA policies should include administrative access procedures for employee absences, terminations, and deaths to support such access via this method.
2. Formal Password Resets
Formal password resets are another viable method for a HIPAA-regulated employer to access an employee’s HIPAA-secure email in the event of absence, death, or termination. This approach involves resetting the employee’s email password to grant temporary access to an authorized staff or other workforce member.
To be compliant:
- the password reset for access must be tied to a HIPAA permitted purpose;
- only an authorized HIPAA trained staff member is given access;
- the access must be limited to the minimum necessary PHI to accomplish the required purpose; and,
- any such reset and access must be logged both in system logs and manual access logs.
For absences, the email account should be secured post-access by assigning a new password to prevent any further access.
For terminations, the employer is required to terminate the former employee’s access immediately.
For terminations and deaths, following the completion of the task, the email account must be secured (e.g., encrypted archive) to safeguard the PHI contained therein.
The employer’s HIPAA policies should include password resets procedures for employee absences, terminations, and deaths to support such access via this method.
3. Email Delegation
This is the simplest approach. The employer’s IT admin would assign a HIPAA trained staff member (“delegate”) permission to access the employee’s HIPAA-secure email account (e.g., via Outlook’s or Gmail’s delegate features). This enables the delegate to access the employee’s email account without knowing the employee’s password. The employer’s IT admin can configure permissions granularly (e.g., read-only access, send on behalf, etc.) and set a time limit for the delegated access. All actions performed by the delegate would be distinctly logged with their own identity for audit purposes. The employer’s IT admin could also pre-set this or have it configured when required and then revoke the delegation once access is no longer needed (45 CFR § 164.308(a)(3)(ii)(C)).
To be compliant:
- delegated access must be tied to a HIPAA permitted purpose;
- access must only be given to a designated, HIPAA trained staff member;
- access must be limited to the minimum necessary PHI to accomplish the required purpose and should avoid full control unless justified; and,
- any such delegated access and activity must be logged.
For absences, the delegate’s access should be terminated upon the employee’s return to work.
For terminations, the employer must terminate the former employee’s access immediately.
For deaths and terminations, the delegation should be temporary with a set expiration date. Additionally, the email account should thereafter be secured (e.g., encrypted archive) to safeguard the PHI contained therein.
The employer’s HIPAA policies should include email delegation procedures for employee absences, deaths, and terminations to support any such access via this method.
4. Emergency Access Procedures (EAPs)
Both covered entities and business associates are required to have written EAPs (45 CFR §164.312(a)(2)(ii)). EAPs typically come into play when patient safety or operations are at risk and to fulfill legal obligations (e.g., responding to a public health authority’s request) (45 CFR §164.512(j)). Less commonly, EAPs may be used as a last resort when other access methods are unavailable or impractical. In the case of employee absences, deaths, or terminations, EAPs might be appropriate in cases where immediate access is necessary to protect patient care, safety, or operational integrity. Routine employee absences wouldn’t necessarily qualify unless there was an immediate need for access.
To be compliant:
- emergency access must be for a HIPAA permitted purpose or for at risk purposes;
- emergency access must be limited to the minimum necessary PHI that is required for the urgent situation;
- only designated HIPAA trained staff or workforce members can use the emergency access; and,
- the emergency reason along with the access must be logged.
For terminations, the employer must terminate the former employee’s access immediately.
For terminations and deaths, following completion of the task, the email account must be secured to safeguard the PHI contained therein.
The employer’s EAPs should include procedures specifically for employee absences, deaths, or terminations to support urgent access via the EAPs.
____
The Real Talk article series includes real customer questions and our answers. Since these are questions directly from actual clinics, practices, hospitals, and businesses, we thought you might have these questions too. We hope that you find this format helpful. Stay tuned for more Real Talk - your question might even be featured!