HIPAA Email Rules

The Health Insurance Portability and Accountability Act (HIPAA) was changed in 2013 to accommodate developments in the healthcare industry. However, this also lead to changes regarding how covered entities are expected to safeguard Protected Health Information (PHI) sent over emails. These requirements are laid out in the HIPAA Security Rule. The rule allows PHI to be sent over emails, but only if a number of measures are enacted to maintain its integrity.

The HIPAA Security Rule stipulates that all covered entities (CEs) and their business associates implement measures such as ID authentication, audit controls and integrity and access controls to restrict the access to PHI, monitor the transfer of PHI between personnel, ensure PHI is protected both in transit and at rest, ensure accountability and prevent unauthorised personnel from accessing it.

It has been argued by many CEs and their associates that encryption is suffice to ensure HIPAA compliance. Others claim that, alone, encryption doesn’t fulfil the requirement for ID authentication. Such authentication is necessary to track the data and ensure accountability.

Additionally, some requirements – such as an audit trail – are difficult to enact and is relatively resource-intensive. Other measures pose similar challenges: preventing improper modification of PHI requires continual monitoring.

Encryption Requirements

Once a message that contains PHI goes beyond the CE’s internal firewall, they must be protected. According to HIPAA, encryption is an “addressable” safeguard. Perhaps counter-intuitively, this does not mean that the encryption requirement can be selectively ignored. Instead, it means that if the CE finds that there is an alternative safeguard that could provide the same level of protection they may implement that instead. This decision should be justified through risk assessments.

It may not always be necessary to use encryption to protect patient PHI. If the data is only being communicated on an internal server within the CE’s firewall, there is no risk to the PHI from an outside party.

However, once the PHI data goes outside the CE’s firewall, it must be protected. Here, encryption becomes and “addressable requirement”. Any message that contains patient data must be protected unless the patient has given their permission for PHI to be used without encryption.

During the CE’s risk assessment, the main threats to the confidentiality and integrity of the PHI should be identified. This will then help the CE create a risk management plan with the aim of protecting the patient data. The decision to encrypt, or implement an alternative safeguard, should be carefully documented. Thus, if the Office for Civil Rights is required to do an audit or investigation, they will have the necessary information.

Encryption is not the only email requirement laid out by HIPAA, but it may be enough to ensure the PHI cannot be read by unauthorised personnel. However, not all levels of encryption will offer the same levels of protection. Some may become quickly outdates, whilst others will only be appropriate for certain platforms.

For best practice, CEs should refer to the guidelines laid out by the National Institute of Standards and Technology (NIST). The NIST, in turn, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.

Secure Messaging Solutions

With around 80% of healthcare employees using their own personal devices as part of their daily routine, it is not surprising that organisations are investigating new ways to ensure patient privacy. Secure messaging solutions fulfil HIPAA requirements whilst still allowing Bring Your Own Device (BYOD) policies to stay in place. The apps can be used on a wide range of devices irrespective of operating systems.

Essentially, secure messaging systems along authorised users to log into the service using a centrally-issued username and PIN. This allows an audit trail to be created. All messages are encrypted, and messages cannot go outside the company’s secure network.

Administrators may also assign a “lifespan” to a message. These cause the message to be deleted after a certain period of time. Computers and mobiles may also have automatic log-offs from the service to prevent unauthorised access if the device is stolen or left unattended.

These services allow HIPAA compliance whilst also facilitating the speed of instant messaging and texts. This can speed up processes like admittance or discharge, or even reduce prescription errors. They also enforce message accountability, as there are records of who has seen each message.

Archiving Encrypted Emails

In accordance with HIPAA, CEs are required to keep digital communications dating back the last six years. This may require a lot of storage space. The problem may, however, be solved by encrypted email archiving for PHI. Alongside encrypting emails and attachments, encrypted email archiving creates an index of emails that facilitates easy access.