The Health Insurance Portability and Accountability Act (HIPAA) was updated in 2013 to accommodate developments in work practices and technology adoption in the healthcare industry. However, this also led to changes regarding how covered entities are expected to safeguard Protected Health Information (PHI) sent via email. These requirements are laid out in the HIPAA Security Rule and were updated by the Omnibus Final Rule.
The HIPAA Security Rule allows PHI to be sent via email, but only if a number of safeguards are implemented to ensure the information remains confidential and cannot be tampered with in transit.
The HIPAA Security Rule stipulates that all covered entities (CEs) and their business associates implement measures such as ID authentication, audit controls, access controls, and integrity controls. They must restrict access to PHI, monitor the transfer of PHI between personnel, ensure PHI is protected both in transit and at rest, ensure accountability and prevent unauthorized personnel from accessing PHI.
It has been argued by many CEs and their associates that encryption is sufficient to ensure HIPAA compliance. Others claim that, alone, encryption doesn’t fulfill all HIPAA requirement, such as ID authentication. Such authentication is necessary to track the data and ensure accountability.
Additionally, some requirements – such as maintaining an audit trail – are difficult to enact and are relatively resource-intensive. Other measures pose similar challenges: Preventing improper modification of PHI, for example, requires continual monitoring.
Once a message that contains PHI goes beyond the CE’s firewall, it must be protected. According to HIPAA, encryption is an “addressable” safeguard. Perhaps counter-intuitively, this does not mean that the encryption requirement can be selectively ignored. Instead, it means that if the CE finds that there is an alternative safeguard that could provide the same level of protection, they may implement that measure in place of encryption. This decision should be supported by a risk analysis and the decision not to encrypt, and the reasons why, should be documented.
It may not always be necessary to use encryption to protect PHI. If the data is only being communicated internally and is protected by a firewall, the information is safeguarded against access by an outside third-party.
However, once the PHI data goes outside the protection of a CE’s firewall, additional safeguards are required. In such cases, encryption is required unless a patient has given permission for PHI to be sent without the protection offered by encryption.
During the CE’s risk assessment, threats and vulnerabilities to the confidentiality, integrity, and availability of PHI should be identified. Those threats and vulnerabilities must be addressed through a risk management plan and reduced to a reasonable and acceptable level. The decision not to encrypt and implement an alternative safeguard should be documented.
Encryption is not the only email requirement in HIPAA, but it may be enough to ensure PHI cannot be read by unauthorized individuals. However, not all levels of encryption offer the same level of protection. Some forms of encryption are only suitable for protecting low or moderately sensitive data or for use on certain platforms.
CEs should refer to the guidelines produced by the National Institute of Standards and Technology (NIST). At the time of writing, NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
With around 80% of healthcare employees using their own personal devices as part of their daily routine, it is not surprising that organizations are investigating new ways to protect the privacy of communications made through those devices. Secure messaging solutions fulfill HIPAA requirements and support Bring Your Own Device (BYOD) policies. The apps can be used on a wide range of devices irrespective of operating systems and allow PHI to be securely shared with authorized individuals.
Secure messaging systems only allow authorized users to log into the platform. Each user is assigned a unique username and uses a PIN for authentication. All activity on platform is recorded and an audit trail is maintained. All messages are encrypted, and messages cannot be sent outside the company’s secure network.
Administrators may also assign a “lifespan” to a message. This causes the message to be deleted after a set period of time. It is also possible to easily see when a message has been delivered and read. Computers and mobiles may also have automatic log-offs configured to prevent unauthorized access if the device is left unattended, and messages and PHI can be remotely deleted in the event that a device is lost or stolen.
These solutions support HIPAA compliance and offer the convenience of instant messaging and texts. They can help speed up processes like admissions and discharges, reduce the potential for errors, and can even help to improve patient outcomes.
CEs are required to keep digital communications for six years. This may require a lot of storage space. The problem may, however, be solved using encrypted email archiving. These email archives encrypt stored PHI and also create an index of emails that facilitates easy access and allows the archive to be searched, in contrast to standard backups. This makes information retrieval quick and easy if messages need to be found as part of legal discovery or if they need to be provided for a compliance audit.