HIPAA compliance for email has been a much discussed topic since amendments were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular importance is the language of the HIPAA Security Rule; which, although not outright prohibiting the use of email to communicate PHI, brings in a number of requirements before email communications can be thought of as HIPAA compliant(*).
HIPAA email rules require covered bodies to put in place access controls, audit controls, integrity controls, ID authentication, and transmission security have to be met in order to:
- Limit access to PHI
- Review how PHI is shared
- Guarantee the integrity of PHI at rest
- Enshrine 100% message accountability, and
- Safeguard PHI from unauthorized access during transit
Some HIPAA covered bodies have argued that encryption is sufficient to allow HIPAA compliance for email. However, HIPAA email rules do not just include encryption. Encryption alone does not meet the audit control requirement of monitoring how PHI is transmitted or the ID authentication requirement to ensure message accountability.
In addition to this, some required functions – such as the creation of an audit trail and stopping the improper modification of PHI – are difficult to resolve. So, although emails can be HIPAA considered compliant, it requires major IT resources and a continuing monitoring process to ensure that authorized users are sending PHI in adherence with policies for HIPAA compliance for email.
(*) HIPAA compliance for email is not always necessary if a covered body has an internal email network secured by an appropriate firewall.
HIPAA Requirements for HIPAA Email Encryption
HIPAA email rules require messages to be safeguarded in transit if they include ePHI and are shared outside a protected internal email network, beyond the firewall.
As mentioned before, encryption is only one factor of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus stopping an impermissible disclosure of ePHI.
It should be remembered that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be disregarded. Covered bodies must consider encryption and put in place an alternative, equivalent security measure if the decision is taken not to use encryption. That applies to stationary data and data in transit.
A covered body must decide on whether encryption is appropriate based on the level of danger involved. It is therefore necessary to complete a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent through email. A risk management plan must then be created, and encryption or an alternative measure implemented to lessen that risk to an appropriate and acceptable level. The decision must also be recorded. OCR will want to see that encryption has been reviewed, why it has not been used, and that the alternative security measure that has been put in place instead offering an equivalent level of protection.
Encryption is a vital element of HIPAA compliance for email, but not all forms of encryption provide the same level of security. Just as the method of encryption is not detailed in HIPAA to take into account advances in technology, it would not be proper to recommend a form of encryption on this page for the same reason. For instance, a covered body could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to be highly unsafe.
HIPAA-covered bodies can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of this article being published, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally shift, so it is crucial to check NISTs latest guidance before adapting encryption for email. NIST has released SP 800-45 Version 2 – which will help organizations safeguard their email communications.
How Secure Messaging Address Problems with HIPAA Compliance for Email
Secure messaging is an acceptable replacement for emails as it fulfills all the requirements of the HIPAA Security Rule without giving up the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging applications that can be installed onto any desktop computer or mobile device.
Authorized users have to log into the applications using a unique, centrally-issued username and PIN number that then allows their activity to be reviewed and audit trails created. All messages including PHI are encrypted, while security mechanisms are in place to ensure that PHI cannot be sent outside of an organization’s network of authorized users.
Administrative controls stop unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an application has not been used for a predetermined period of time, and permitting the remote deletion of messages from a user’s device if the device is lost, stolen or otherwise missing.
The Advantages of Secure Messaging
The main benefit of secure messaging when compared to email is the speed at which people reply to text messages. Studies have shown that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unseen for forty-eight hours.
The communications cycle is further speeded up by the mechanisms to enforce message accountability. These significantly lessen phone tag, allowing employees more time to attend to their duties. In a healthcare sector, this means less time waiting by a phone and more time giving healthcare to patients.
This acceleration of the communications cycle also minimized the time it takes to admit or discharge a patient, how long it takes for prescription mistakes to be resolved, and the length of time it may take for invoices to be settled. Ultimately, secure messaging is a lot more effective than email, and less trouble to adapt than resolving HIPAA compliance for email.
PHI Encrypted Email Archiving
So far as the implementation of a secure messaging solution is an acceptable alternative to email, covered bodies are required to retain past communications including PHI for a period of six years. Depending on the size of the covered body, and the volume of emails that have been sent and received during this duration of time, the retention of PHI can create a storage issue for many groups. The solution to this potential problem is encrypted email archiving for PHI.
Suppliers providing an email archiving service are referred to as Business Associates, and have to comply with the same requirements of the HIPAA Security Rule as covered bodies. Therefore, their service has to have access controls, audit controls, integrity controls, and ID authentication in order to guarantee the integrity of PHI. In order to adhere with HIPAA email rules on transmission security, all emails should be encrypted at source before being shared with the service provider’s secure storage facility for archiving.
The main benefit to encrypting email archives for PHI is that, as the emails and their attachments are being encrypted, the content of each email is indexed. This results in easy retrieval should a covered body need to access an email quickly to adhere with an audit request or to advance discovery. Other benefits include the releasing of storage space on a covered bodies servers and that encrypted email arching for PHI can be used as part of a disaster recovery measure.