How does the GDPR affect email?

GDPR focuses on protection of personal data of EU residents. Personal data is any information that can explicitly or implicitly identify an individual.

This may include: name location addresses (mail, email, IP, etc.) bank details gender religious beliefs ethnicity political opinion biometric data web cookies contacts device IDs and pseudonymous data.

To protect any sort of personal information of an individual, GDPR lays our many rules and regulations. Even emails come under GDPR regulation and it says that an email is a valuable asset that must be in compliance with GDPR requirements.

As email conversation contains names, email addresses, and much more, GDPR need companies to protect this personal data of individuals. From names and email addresses to attachments and conversations about people, all could be covered by the GDPR’s strict new requirements on data protection.

GDPR regulations on email requirements focuses on factors like email encryption and email safety. Below we’ll explain what the GDPR actually says and what it means for email.

GDPR Encryption and Security

What the GDPR says

GDPR says that all the personal information of any EU residents must be protected by all those organizations that collect, store of use their data. Article 5 of the GDPR lists the regulations of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. Encryption and pseudonymization are listed in the law as examples of technical measures that companies can use to lower the risk of the damage in the event of a data breach.

What it means for email:

Encryption is the best way to protect the data that is shared, transferred and sent through emails. Email encryption technology has developed quickly, and several organizations now offer end-to-end encrypted email service. Not only the Encryption is important but companies can develop other security tools to reach appropriate data security practices when they send data through emails.

Also data removal is a large part of the GDPR. Data removal is among one of those six data protection principles that says unneeded data should be deleted by companies when they think that data is no more needed. Data removal is also one of the personal rights protected by the GDPR in Article 17.

According to GDPR policies, companies needs to periodically review their companies email retention policy and should delete the amount of data your employees store in their mailboxes.

To comply with GDPR, organizations are required to protect the data that is sent through emails and that data should also be deleted after sometime when it is no more required. Also, it’s important for companies to educate their team about email safety. Encryption and two-factor authentication are good options for companies to protect data and comply with the GDPR.


How US Companies Are Becoming GDPR Compliant

GDPR (General Data Protection Regulation) was enforced in European Union to protect the data of EU residents. This law states that not only the organizations that are based in EU but also those that are based outside EU have to comply with GDPR if they have access or process the data of EU residents.  

Illustration of “compliant document” with words “Are you GDPR compliant?”

If an organization fails to comply with GDPR then they have to pay heavy fines which can reach 4% of global revenue or €20 million, depending on the severity and circumstances of the violation.

Why US companies must comply with the GDPR?

Since the law clearly states that any organization or company that process the data of any person in the EU, including citizens, residents, and even, perhaps, visitors have to comply with GDPR, it is necessary for US companies to comply with the GDPR if they process the data of EU residents. The purpose of this law is to protect the personal data of EU citizens. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website. To ease the probability of any fine or GDPR violation, it is necessary for U.S companies to comply with GDPR.

This GDPR compliance checklist covers tips specifically for US companies.

  • Conduct an information audit for EU personal data

Check if your company needs to comply with the GDPR. Audit whatpersonal data you process and whether any of it belongs to people in the EU.  Please read article 23 of GDPR to clarify whether your activities qualify as subject to the GDPR or not.

  • Inform your customers why you’re processing their data

The GDPR gives individuals the right to know that you are collecting their personal data, and how you will use it, how long you will keep it, and with whom you will share it.

  • Know what to do if there is a data breach

GDPR article 33 and 34 has mentioned the guidelines that need to be followed in the event if personal data is exposed. The use of strong encryption can alleviate your exposure to penalties and decrease your notification obligations if there’s a data breach.

  • Designate a representative in the European Union

According to the article 27 of GDPR, non EU organizations are required to appoint a representative based in one of the EU member states.

  • Comply with cross-border transfer laws (if applicable)

According to previous European Union specification on the transfer of personal data to non-EU countries, GDPR Article 45 put some tough requirements for companies wishing to do so.


How to Comply with HIPAA Password Requirements

HIPAA stands for Health Insurance Portability and Accountability Act. This was first introduced in 1996 in U.S with the purpose of protecting the PHI data of individuals.

The law states that health care organizations, covered entities and business associates must keep patient’s medical information safe, secure and confidential. In this digital world where every information and data is stored online, HIPAA sets out guidelines for creating, changing, and protecting passwords.

The regulations were set by HIPAA as a part of the administrative safeguards of the HIPAA Security Rule. HIPAA password requirements are an important part of keeping your sensitive health data safe and avoiding HIPAA fines.

HIPAA Password Requirements

The HIPAA Security Rule section says that health care organizations, covered entities and business associates must use administrative, physical and technical measures to make sure they keep confidentiality, integrity and security of patient’s data. HIPAA password requirements fall under the Administrative requirements of the HIPAA Security Rule. This security rule requires covered entities to keep PHI and electronic PHI (ePHI) secure.

How to Make Your Passwords HIPAA Compliant

HIPAA does not lay down any guidelines or specifications that covered entities or business associates must follow to ensure your passwords are safe and secure but there are other federal regulatory entities that do lay down password guidance. NIST (National Institute of Standards and Technology) is one such federal regulatory entity that sets security regulations on an ongoing basis that highlights business best practices for companies of all kind. NIST also regularly issues new regulations on password creation, which serve to keep your information safe.

Below we have listed few of the measures that you can put in place to keep your passwords relevant with NIST and HIPAA requirements.

  • Use a minimum of 8 characters: According to NIST, passwords can be up to 64 characters if organization is protecting sensitive data.
  • Avoid using password hints: NIST suggests you should entirely avoid using password hits because they can seriously compromise the integrity of your passwords.
  • Create memorable passwords: NIST no longer suggests the use of complicated passwords. Though it says that passwords should be unique but keeping a memorable password is more secure way. 
  • Vet passwords against a list of weak options: According to NIST (National Institute of Standards and Technology), the passwords should be vetted against a list of common passwords.


With few easy steps you can start to develop a HIPAA compliance program in your practice, all while addressing your HIPAA password requirements.


How long should I retain HIPAA audit logs?

HIPAA stands for Health Insurance Portability & Accountability Act. This law was introduced in the 1996 and was signed by President Bill Clinton. The administrative rules of HIPAA require covered entities and other health care organizations to retain required documentations from the date of its creation or the date when it was last in effect.

HIPPA privacy regulations apply to electronically stored and transmitted electronic data. Though HIPAA does not lay down any time period regarding the retention of medical records but each state in U.S has their own requirement regarding the retention of medical records in its laws. While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that health care organizations must protect the medical records and PHI of an individual.

There is no time period specified for medical records by HIPAA but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Why Is It So Important To Retain HIPAA Audit Logs?

It is important to retain HIPAA audit logs because it helps an organization to monitor activity on their computing network. It helps organization to keep records of events and user activity. Essentially, all system activity creates priceless audit trail for organizations to use as a tool for security. Retaining and appropriately maintaining these logs has become a significant measure in risk management. It helps in protecting all information, particularly ePHI of an individual.

Audit logs also help in identifying theft, fraud, and physical theft.

General HIPAA Audit Log Requirements: What Is Included?

Combination of both electronic and physical information is included in HIPAA log requirement. It is necessary for an organization to keep a record of employees that have access to standard physical PHI and stored paper files.

Audit logs for your ePHI is more involved and should include the following information:

  • User access logins
  • Addition of new users to the system
  • New users’ level and areas of access
  • Files accessed by all users
  • All changes made to databases
  • Firewall logs
  • Operating system logs
  • Anti-malware logs

How Long HIPAA Audit Logs Should Be Kept?

CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.


HIPAA Email Rules

HIPAA stands for Health Insurance Portability and Accountability Act and it was introduced in 1996 by Congress in U.S. The purpose of this act was to improve the efficiency of the health care organizations and also to protect the data and PHI of individuals.

Soon after the act came into force, privacy rule was also introduced within this act. Privacy rule introduced within the act regulates the use and disclosure of individual’s data that can be verbal, written, or electronic (both via email and file transfer.

All the covered entities and business associates have to follow this rule. The rule that was later introduced within this HIPAA act was security rule.  This security rule defines all the security standards for the management of PHI in electronic form (ePHI) by health care providers, health plans, and health care clearing houses.

Both privacy rule and security rule under HIPAA does not prohibit the use of email for sending ePHI. The only thing that needs to consider while sending the PHI through email is the security, and privacy of the PHI of an individual.

There are several rules set by HIPAA for the email and these rules needs to be followed to protect the ePHI. These rules and regulations are set by HIPAA security rule and were updated by the Omnibus Final Rule. If any organization that fails to comply with HIPAA email regulation while sending ePHI online then they have to pay heavy fines and penalties for it.

HIPAA email rules require health care organizations to safeguard, secure and keep the ePHI data confidential while transferring it online. Covered entities should fulfill the points mentioned below to safeguard the ePHI transferred through email.

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Below we have mention two important rules that needs to be followed while sending PHI though Email

  1. Encryption Requirements
  2. Secure Messaging Solutions

Encryption Requirements

If an email that contains PHI is sent beyond the covered entities firewall, it must be protected with encryption.  Only the messages are protected with encryption in transit so covered entities should never put the patient’s name or other PHI in subject lines of emails as the information could easily be viewed by unauthorized individuals.

Secure Messaging Solutions

HIPAAsupport Bring Your Own Device (BYOD) policies. Health care workers can use their own personal devices as part of their daily work, but it is required that they use secure messaging solutions. With secure messaging solution, all activities on platform are recorded and an audit trail is maintained. All the emails that will be sent through secure messaging solutions will be encrypted and also the messages cannot be sent outside the organizations secure network.


HIPAA does not prohibit the use of email for sending ePHI but it require covered entities to protect, secure and keep the ePHI data confidential while transferring it online.


Can You Stop Phishing Emails? Why what you’re doing now is failing.

Phishing is a cyber attack where criminals and hackers send disguised email as a weapon. These emails appear to be from a legitimate company and ask you to provide sensitive information. Once you fill your personal data on it, it goes into the hands of fraudulent. Details they will ask can be credit card numbers, account numbers, passwords, usernames, and more.

Hacking phishing attack. Flat vector illustration of young hacker sitting on the laptop to hack protection system. young man with code symbols on blue background

There are various ways by which hackers can target organizations and their employees. The best way to tackle this situation is by learning how to identifying such emails and how you can stop such phishing emails.

How to stop phishing emails?

The best way to stop phishing emails is by bringing security awareness among people and employees by letting them know how they can recognize the signs of a phishing email. Employees can use powerful filtering tools that identify phishing emails and filters them from reaching inboxes. Also, other security tools that scan email attachments and URLs within emails can help to neutralize malicious links.

How to spot phishing emails?

Here are some clues indicating this email is actually a scam:

  • Many of such phishing emails starts with generic greeting such as “Dear customer.”
  • The email encourages you to click on a link.
  • Many of such phishing emails contains grammatical errors.
  • Phishing emails may ask you to confirm your personal information.
  • Many of the phishing emails contains a suspicious attachment.
  • The whole idea behind phishing emails is to create panic and encourage you to act quickly.

Why Are Phishing Attacks Still So Successful?

Hackers have become very smart these days and their phishing emails may still able to bypass filters and trick individuals. Scammers make use of the following tactics to outsmart their victims:

Look Legitimate:

Cybercriminals these days have their tactics and their emails look very realistic. The addresses from which they’re sent are very hard to visually distinguish from those of recognized companies.

Play on Human Weaknesses:

Cybercriminals these days know how to exploit human weaknesses. They send emails that will try to make people act before they think. Emails can be like fear of breaking the rules, lottery winners, etc.

Not Always a Payload:

Phishing emails closely resemble normal emails and are therefore hard, but not impossible, to detect.

How Can You Protect Against Phishing?

User Education:

Educate users to stop and think before they act on an email. Educate them on how they can detect such emails.

Endpoint Protection:

Always use an updated anti-malware program and update that regularly. Also, it is always better to update your internet browser, OS and make sure your applications are up-to-date to avoid exposure to vulnerabilities.

Install anti-phishing software:

Anti-phishing software is a great way to get extra protection.