Are Emails HIPAA Compliant?
The use of email by HIPAA-covered entities to send sensitive patient health information is a much-debated topic. HIPAA compliant email is not specifically covered in the legislation and there is no mention in the HIPAA Security Rule about prohibiting the use of email to communicate PHI. That said, there are several points to consider before email could be regarded as a HIPAA compliant method of communicating PHI.
HIPAA regulations regarding email usage require covered entities to have access controls, integrity controls, audit controls, ID validation, and message transmission protection in place.
These controls help to:
- Minimize PHI access
- Keep track of how PHI is transmitted
- Protect the confidentiality and integrity of PHI at rest
- Ensure 100% accountability for sent messages; and
- Safeguard PHI in transit preventing unauthorized access
Several HIPAA covered entities have argued that encryption is enough to ensure HIPAA compliance for email; however, HIPAA email requirements include controls that encryption does not cover, such as the audit control requirement, keeping track of PHI communications, or the ID validation requirement to make certain of message accountability.
In addition, a few requirements of the HIPAA Security Rules, such as maintaining an audit trail and blocking unauthorized changes to PHI, are not easy to implement. Email can be HIPAA compliant, but to make email HIPAA compliant demands substantial IT resources and an ongoing tracking process to ensure that approved users are communicating PHI while following HIPAA compliant policies for email.
Requirements for HIPAA Email Encryption
Under the HIPAA email rules, messages that contain PHI must be kept safe in transit. This is achieved internally by ensuring all internal emails are sent behind the protection of a firewall to prevent interception.
However, when emails are sent beyond the company internal email network and are no longer protected by a firewall, the messages should be encrypted. If encryption is used, in the event that a message containing protected health information is intercepted by an unauthorized individual, it will not be possible for the PHI to be viewed.
It should be noted at this point that encryption for data in transit, via email for example, is not a requirement of HIPAA. Encryption is only an addressable standard. That means that encryption must be considered but is not mandatory.
A covered entity needs to make a decision on whether or not to use encryption based on the level of risk. That is only possible by conducting a risk analysis to determine the risk to the confidentiality, integrity, and availability of ePHI that is sent via email. After conducting a risk analysis a risk management plan should be created. Risks must be reduced to an appropriate and acceptable level. Encryption is one way of managing risk, although it is acceptable to use an alternative, equivalent control in place of encryption. If an alternative is used, the decision process and the reason why encryption is not being implemented must be documented.
In reality, encryption of email is the easiest way to manage risks to the confidentiality, integrity, and availability of ePHI contained in emails. Encryption is therefore a crucial component of HIPAA compliance for email.
However, not all types of encryption give a similar degree of security. HIPAA does not specify a method of encryption due to the pace at which technology advances. For instance, a covered entity may have employed the Data Encryption Standard (DES) encryption algorithm in the past, but that algorithm is now known to be highly insecure.
The National Institute of Standards and Technology (NIST) provides updated guidance on encryption to HIPAA-covered entities. NIST has recommended the Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption be used, although that may well change in the future. Check NISTs latest guidance prior to employing any encryption for email.
The failure to use encryption for email, or an equivalent alternative security measure, could result in a significant financial penalty.
The penalties for HIPAA violations are as follows:
- Tier 1: Was unaware that HIPAA Rules were violated – $100 to $50,000
- Tier 2: HIPAA violation with reasonable cause – $1,000 to $50,000
- Tier 3: Willful Neglect – Corrected within 30 days – $10,000 to $50,000
- Tier 4: Willful Neglect – Not corrected within 30 days – $50,000
Why Secure Messaging Instead of Email
Secure messaging is one of the best alternatives to the use of email as it satisfies all the requirements of the HIPAA Security Rule without compromising the speed and ease of communication of email. It uses a secure messaging application which can downloaded on any mobile device or desktop computer.
Authorized users need to sign into the application utilizing a unique username and PIN number. All user activities are monitored, and audit trails are maintained. All messages containing PHI are encrypted, and security systems make certain that PHI is not sent beyond an organization´s network.
Administrative controls stop unauthorized PHI access by giving messages a “lifespan” and automatically logging off the user when the app has been inactive for a set period of time. Messages from a user´s device may also be remotely deleted if a device is lost or stolen.
The Advantages of Secure Messaging
The major advantage of secure messaging in comparison to email is speed of information access. Studies have revealed 90% of users read a text message in just three minutes of getting it, while roughly 1/4 of emails are not opened for 48 hours.
The cycle of communication is made even faster because of mechanisms that impose message accountability. These substantially decrease phone tag, giving employees more time to complete their work duties. In a healthcare setting, this translates to less time making phone calls and more time providing medical care to patients.
This speed of the communication cycle additionally reduces the time to admit or discharge patients, to correct prescription errors, and to get invoices paid. Secure messaging services are easier to implement compared to managing HIPAA compliance for email and make it much harder for employees to accidentally violate HIPAA Rules.
Archiving Encrypted Email with PHI
A secure messaging solution may be a good alternative to email; however, covered entities need to retain messages containing PHI. This can create a storage problem, especially for large organizations with many employees. One solution is to use a cloud-based email archiving solution.
Vendors offering email archiving services are considered business associates under HIPAA, and therefore need to comply with the provisions of the HIPAA Security Rule. For that reason, their service must include appropriate access controls, integrity controls, audit controls and ID validation to ensure the confidentiality, integrity, and availability of PHI. To abide by the HIPAA email rules on transmission security, emails must be encrypted prior to being delivered to the service provider’s safe storage center for archiving.
The most important advantage of archiving encrypted email containing PHI is the emails are indexed and searchable. This makes retrieval easy when a covered entity needs the information for an audit, investigation, or during legal discovery. Other benefits include the freeing up of storage space on servers resulting in significant savings on hardware.