There has been much debate about HIPAA email compliance requirements since amendments were made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular concern is the wording of the HIPAA Security Rule; which, although not outright prohibiting the use of email to communicate PHI, it included a number of requirements before email communications can be referred to as HIPAA compliant (*).
HIPAA email rules obligate covered bodies to put in place access controls, audit controls, integrity controls, ID authentication, and transmission security in order to:
- Limit access to PHI
- Constantly review how PHI is communicated
- Ensure the safety of PHI while stationary
- Make sure message accountability is 100%
- Secure PHI from unauthorized access while on the move
Some HIPAA covered bodies have made the case that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do cover encryption alone. Encryption, on its own, does not fulfill the audit control requirement of reviewing how PHI is broadcast or the ID authentication requirement to ensure message accountability.
In addition, some required functions – such as the creation of an audit trail and stopping the improper modification of PHI – are difficult to resolve. So, although emails may be HIPAA compliant, it requires smajor IT resources and a continuing monitoring procedure to ensure that authorized users are broadcasting PHI in compliance with policies for HIPAA for email.
(*) HIPAA compliance for email may not always be required if a covered body has an internal email network made secure by an appropriate firewall.
Requirements for HIPAA Email Encryption
HIPAA email rules demand messages to be safe while moving if they contain ePHI and are sent outside a secured internal email network, beyond the firewall.
As previously stated, encryption is only one facet of required HIPAA compliance for email, but it will ensure that should a message be intercepted, the contents of that message cannot be read, thus stopping an impermissible disclosure of ePHI.
It should be remembered that encryption is an addressable standard in the HIPAA Security Rule for data while stationary and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be disregarded. Covered bodies must consider encryption and put in place an alternative, equivalent safeguard if it is decided not to use encryption. That applies to data and rest and data on the move.
A HIPAA covered body must decide on whether encryption is acceptable based on the level of risk present. It is therefore necessary to complete a risk analysis to determine the risk in place to the confidentiality, integrity, and availability of ePHI sent via email. A risk management plan must then be formulated, and encryption or an alternative measure put in place to lessen that risk to an appropriate and acceptable level. The decision must also be recorded. OCR will want to see that encryption has been considered, why it has not been implemented, and that the alternative security measure that has been adapted in its place offers an equivalent level of protection.
Encryption is key element of HIPAA compliance for email, but not all forms of encryption offer the same level of protection. Just as the method of encryption is not referred to HIPAA regulations to take into account advances in technology, it would not be proper to recommend a form of encryption on this page for the same reason. For example, a covered body could have used the Data Encryption Standard (DES) encryption algorithm to make sure HIPAA compliance for email, but now that algorithm is known to be highly unsafe.
HIPAA-covered bodies can receive up to date guidance on encryption from the National Institute of Standards and Technology (NIST) which, currently, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could change, so it is vital to check NISTs latest guidance before adapting encryption for email. NIST has released SP 800-45 Version 2 – which will help groupss secure their email communications.
How HIPAA Compliance for Email Issues are Resolved with Secure Messaging
Secure messaging is an acceptable alternative for emails as it fulfills all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email employs secure messaging apps that can be downloaded onto any desktop computer or mobile device.
Authorized users have to log into the apps using a completely unique, centrally-issued username and PIN number that then permits their activity to be reviewed and audit trails created. All messages holding PHI are encrypted, while security mechanisms exist to make sure that PHI cannot be broadcast outside of an organization´s network of authorized users.
Administrative controls stop unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has been inactive for a predetermined period of time, and allowing the remote wiping of messages from a user´s device if the device is lost, stolen or otherwise disposed of.
The Advantages of Secure Messaging
The main benefit of secure messaging when compared to email is the quickness at which people respond to text messages. Studies have shown that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unseen for forty-eight hours.
The speed of communications is further accelerated by the mechanisms to implement message accountability. These majorly reduce phone tag, allowing employees more time to dedicate on their duties. In a healthcare setting, this means less time waiting by a phone and more time treating for patients.
This acceleration of the communications cycle also lessens the time it takes to admit or discharge a patient, how long it takes for prescription mistakes to be resolved, and the duration of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than standard email, and less trouble to put in place than resolving HIPAA compliance for email.
Archiving PHI Encrypted Emails
Though the implementation of a secure messaging solution is an appropriate alternative option to email, covered bodies are required to retain past communications holding PHI for a duration of six years. Depending on the size of the covered body, and the volume of emails that have been sent and received during this period, storing PHI can create a storage issue for many companies and bodies. The solution to this potential issue is encrypted email archiving for PHI.
Vendors supplying an email archiving service are referred to as Business Associates, and have to comply with to the same requirements of the HIPAA Security Rule as covered bodies. Therefore, their service must have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to adhere with HIPAA email rules on transmission security, all emails must be encrypted at source before being broadcast to the service provider’s secure storage facility for archiving.
The biggest benefit of encrypted email archiving for PHI is that, as the emails and their attachments are being encrypted, the content of each encrypted email is indexed. This makes for simple retrieval should a covered entity require access to an email quickly to adhere with an audit request or to advance research. Other bonuses include the creation of storage space on a covered entity’s servers and that encrypted email archiving for PHI can be employed as part of a disaster recovery process.