The Health Insurance Portability and Accountability Act (HIPAA) was updated in 2013 to accommodate developments in work practices and technology adoption in the healthcare industry. However, this also led to changes regarding how covered entities are expected to safeguard Protected Health Information (PHI) sent via email. These requirements are laid out in the HIPAA Security Rule and were updated by the Omnibus Final Rule.
The HIPAA Security Rule allows PHI to be sent via email, but only if a number of safeguards are implemented to ensure the information remains confidential and cannot be tampered with in transit.
The HIPAA Security Rule stipulates that all covered entities (CEs) and their business associates implement measures such as ID authentication, audit controls, access controls, and integrity controls. They must restrict access to PHI, monitor the transfer of PHI between personnel, ensure PHI is protected both in transit and at rest, ensure accountability and prevent unauthorized personnel from accessing PHI.
It has been argued by many CEs and their associates that encryption is sufficient to ensure HIPAA compliance. Others claim that, alone, encryption doesn’t fulfill all HIPAA requirement, such as ID authentication. Such authentication is necessary to track the data and ensure accountability.
Additionally, some requirements – such as maintaining an audit trail – are difficult to enact and are relatively resource-intensive. Other measures pose similar challenges: Preventing improper modification of PHI, for example, requires continual monitoring.
Once a message that contains PHI goes beyond the CE’s firewall, it must be protected. According to HIPAA, encryption is an “addressable” safeguard. Perhaps counter-intuitively, this does not mean that the encryption requirement can be selectively ignored. Instead, it means that if the CE finds that there is an alternative safeguard that could provide the same level of protection, they may implement that measure in place of encryption. This decision should be supported by a risk analysis and the decision not to encrypt, and the reasons why, should be documented.
It may not always be necessary to use encryption to protect PHI. If the data is only being communicated internally and is protected by a firewall, the information is safeguarded against access by an outside third-party.
However, once the PHI data goes outside the protection of a CE’s firewall, additional safeguards are required. In such cases, encryption is required unless a patient has given permission for PHI to be sent without the protection offered by encryption.
During the CE’s risk assessment, threats and vulnerabilities to the confidentiality, integrity, and availability of PHI should be identified. Those threats and vulnerabilities must be addressed through a risk management plan and reduced to a reasonable and acceptable level. The decision not to encrypt and implement an alternative safeguard should be documented.
Encryption is not the only email requirement in HIPAA, but it may be enough to ensure PHI cannot be read by unauthorized individuals. However, not all levels of encryption offer the same level of protection. Some forms of encryption are only suitable for protecting low or moderately sensitive data or for use on certain platforms.
CEs should refer to the guidelines produced by the National Institute of Standards and Technology (NIST). At the time of writing, NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
With around 80% of healthcare employees using their own personal devices as part of their daily routine, it is not surprising that organizations are investigating new ways to protect the privacy of communications made through those devices. Secure messaging solutions fulfill HIPAA requirements and support Bring Your Own Device (BYOD) policies. The apps can be used on a wide range of devices irrespective of operating systems and allow PHI to be securely shared with authorized individuals.
Secure messaging systems only allow authorized users to log into the platform. Each user is assigned a unique username and uses a PIN for authentication. All activity on platform is recorded and an audit trail is maintained. All messages are encrypted, and messages cannot be sent outside the company’s secure network.
Administrators may also assign a “lifespan” to a message. This causes the message to be deleted after a set period of time. It is also possible to easily see when a message has been delivered and read. Computers and mobiles may also have automatic log-offs configured to prevent unauthorized access if the device is left unattended, and messages and PHI can be remotely deleted in the event that a device is lost or stolen.
These solutions support HIPAA compliance and offer the convenience of instant messaging and texts. They can help speed up processes like admissions and discharges, reduce the potential for errors, and can even help to improve patient outcomes.
CEs are required to keep digital communications for six years. This may require a lot of storage space. The problem may, however, be solved using encrypted email archiving. These email archives encrypt stored PHI and also create an index of emails that facilitates easy access and allows the archive to be searched, in contrast to standard backups. This makes information retrieval quick and easy if messages need to be found as part of legal discovery or if they need to be provided for a compliance audit.
Simply put, yes, emails can be used to transmit PHI. However, before using email services to share protected health information, CEs and BAs should ensure that the email service that they use has enacted security protocols in line with the minimum standards established by the HIPAA Security Rule. All employees should receive training on how to use these services in a HIPAA-compliant manner.
There are a number of ways in which using emails to send PHI can lead to HIPAA violations. If emails are left open on desktops, for example, any passerby may be able to see information such as patient names contained in email subject headings, or open emails and access unprotected healthcare data. Emails may also be accidentally sent to unauthorized individuals, breaching the HIPAA Privacy Rule. If employees use their own devices to access work emails, and then that device is lost, it could then lead to a HIPAA breach. Care should be taken to ensure that employees understand these dangers and that safeguards are in place to protect against them.
Before using a third-party service, covered entities will need to enter a business associate agreement (BAA) with their email provider if they intend to use it to transmit PHI. These agreements cover a variety of topics, such as how the PHI will be used, the responsibilities of the business associate to protect the information, what will happen to the data upon termination of the contract etc. Microsoft and Google are both willing to enter BAAs that cover their email services.
The HIPAA Security Rule details the minimum administrative, technical, and physical standards needed to safeguard PHI. However, it is vague in its wording, and does not expressly stipulate that encryption is needed for emails to be HIPAA compliant. Even so, unless a better alternative is available, all emails should be end-to-end encrypted.
Under the HIPAA Security Rule, encryption is an “addressable” safeguard. This means that it should be used unless there is an alternative technology that offers protection that is at least equivalent to that provided by encryption. By having such “addressable” safeguards, it means that the HIPAA Security Rule can stipulate that PHI must be protected in line with industry standards without needing to be updated every time technology advances.
PHI stands for Protected Health Information and is any data that contains a HIPAA identifier that is used in a HIPAA-covered transaction. ePHI is simply electronic PHI, i.e. PHI that was created, transmitted, or stored electronically.