hipaa email compliance graphic

HIPAA has numerous rules and regulations to adhere to when it comes to patient health information. The evolving world of Internet technology has complicated this to some degree, and that includes the existence of email communication. If email messages contain electronically protected health information (ePHI), then they now become a HIPAA concern that has to be dealt with accordingly. This is usually resolved by adding more security to both the email network and the Internet service.

How Emails Need to Meet HIPAA Compliance

HIPAA email compliance has been a fiercely debated subject ever since modifications were made back in 2013 to the Health Insurance Portability and Accountability Act (HIPAA). Of particular significance is the wording of the HIPAA Security Rule, which, although not explicitly barring the use of email to share PHI, lists a number of things that need to be in place before email communications will be regarded as HIPAA compliant (*).

HIPAA email guidelines require covered entities to put access, audit, and integrity controls, as well as ID authentication and transmission security into operation with the intention of accomplishing the following:

  • Limiting access to PHI
  • Monitoring how PHI is shared
  • Ensuring the privacy and accuracy of PHI that isn’t being actively shared
  • Ensuring 100% communication accountability
  • Guarding PHI from unapproved access during transport

There are HIPAA-covered entities that have argued that encryption is enough for email for HIPAA compliance purposes. But HIPAA email rules include more than encryption. Encryption by itself does not meet the audit control stipulation for tracking how PHI is shared or the ID authentication stipulation for certifying message accountability.

Also, some necessary functions – such as forming an audit trail and inhibiting incorrect modification of PHI – are difficult to work out. So, even though emails can be HIPAA compliant, it takes substantial IT resources and an ongoing monitoring system to make certain that approved users are sharing PHI in accordance with HIPAA email compliance policies.

(*) HIPAA compliance for email is easily achieved if a covered entity has an internal email network protected by an appropriate firewall. Here at MAXtech, we can provide you with such a network, as we do currently for some of our clients.

HIPAA Email Encryption Requirements

HIPAA email rules mandate that messages be protected when shared if they include ePHI and are sent outside of a secure internal email network.

As mentioned earlier, encryption is just one aspect of HIPAA email compliance. But it will make certain that in the instance of message interception, the message content cannot be read, preventing unapproved and illegal disclosure of ePHI.

It is important to know that encryption is an addressable guideline in the HIPAA Security Rule for stationary data and HIPAA email compliance. In other words, encryption is not mandatory, but it cannot be discounted, either. Covered entities have to consider encryption or have an alternative option providing equal protection if they end up choosing not to use encryption. That applies to both stationary data and data in transit.

It is a covered entity’s duty to figure out whether encryption is necessary or not depending upon the level of risk entailed. This means it is necessary to perform a risk analysis to figure out what the threat level is to the privacy, integrity, and availability of ePHI when emailed.

A risk management strategy must then be created, and encryption or another measure applied to decrease that risk to a suitable level. The choice and the process getting there also have to be documented. OCR will want evidence that encryption has been considered, the reasoning for not using it, and that the alternative precaution that has been executed instead provides equal protection.

Encryption is a vital aspect of HIPAA email compliance, but not all types of encryption provide the same level of security. Just as an encryption technique is not detailed in HIPAA to allow for improvements in technology, it would also be inappropriate for us to suggest an encryption technique in this article for the very same reason. For instance, a covered entity previously could have used the Data Encryption Standard (DES) encryption system to guarantee HIPAA email compliance, but that system is now known to be very insecure.

HIPAA-covered entities can get up-to-date support on encryption from the National Institute of Standards and Technology (NIST), which currently recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. But that could change over time, so it is essential to check NISTs latest advice and information before employing email encryption. NIST has published SP 800-45 Version 2 – which will help covered entities protect their email communications.

How Secure Messaging Resolves Issues with HIPAA Compliance for Email

Secure messaging is a suitable alternative for emails as it meets all the requirements of the HIPAA Security Rule without giving up the easy accessibility and speed of mobile technology. The solution for HIPAA email compliance employs secure messaging apps, which can be downloaded onto any computer or mobile device.

Authorized users must log in to the apps using a one-of-a-kind, centrally issued username and PIN, which then allows for the monitoring of their activities and creation of audit trails. All messages that include PHI are encrypted, while security mechanisms are in place to make certain that PHI cannot be shared outside of a covered entity´s network of approved users.

Administrative controls ward off unauthorized access to PHI by setting up messages with “message lifespans,” necessitating automatic logouts when an app has been unused for a preset period of time, and allowing the remote removal of messages from a user´s device if it is lost, stolen or otherwise discarded.

The Advantages of Secure Messaging

The main advantage of secure messaging, as opposed to email, is how quickly people respond to text messages. Research has revealed that 90% of people open and read a text message within the first 3 minutes after receiving it, while about 25% of emails stay unopened for 48 hours.

The communications cycle is sped up by the mechanisms to implement message accountability. These greatly decrease the amount of phone tag that occurs, giving employees more time to fulfill their responsibilities. In a healthcare environment, this means far more time providing healthcare for patients compared to waiting by a phone.

This acceleration of the communications cycle also decreases the patient admission time and discharge time, the length of time it takes to fix prescription errors, and the length of time it could take to pay invoices. In the end, secure messaging is far more effective than email and less problematic to execute compared to resolving email for HIPAA compliance.

Encrypted Email Archiving for PHI

To the extent that employing a secure messaging solution is a suitable alternative to email, covered entities must preserve past communications that include PHI for 6 years. Based on the size of the covered entity, and the number of emails sent and received during this time, the retention of PHI can result in a storage problem for many organizations.

The way to address this possible issue is by using encrypted email archiving for PHI. Vendors providing an email archiving service are considered to be Business Associates and have to abide by the same conditions of the HIPAA Security Rule as covered entities. This means that their services must have access, audit, and integrity controls, as well as ID authentication so as to ensure the integrity of PHI. In order to abide by HIPAA email rules on transmission security, all emails need to be encrypted at the source prior to being sent to the service provider’s secure storage facility for archiving.

The main benefit of encrypted email archiving for PHI is that, while the emails and their attachments are being encrypted, all of the email content is being indexed. This greatly simplifies retrieval if/when a covered entity needs to retrieve an email quickly to fulfill an audit request or to advance discovery. Other benefits include freeing up storage space on an organization’s server and that encrypted email archiving for PHI can be implemented into a disaster recovery strategy.

MAXtech Can Help You

Don’t let poor email security put your patients’ health information at risk. MAXtech specializes in helping healthcare professionals remain HIPAA compliant. Schedule a free HIPAA assessment with us to see how we can help you.