HIPAA’s email rules may be complicated at first glance, but ultimately can be broken down into a number of comprehensible stipulations and requirements. It is vital that any organisation has a good grasp of HIPAA’s email rules before they use any electronic messaging services; failure to do so may but patient information in danger and result in large fines levied against the organisation. In this article, we outline HIPAA’s email encryption requirements, but it is recommended that an organisation seeks advice from legal professionals before implementing any new business practices and systems.
According to HIPAA, email messages are required to be secure “in transit” (as the message is being sent between one device and another) if they contain ePHI and are sent outside a protected internal email network, beyond the firewall. Encryption is the most common way of ensuring the integrity of the message. If a message is encrypted, even if it is intercepted by an unauthorised third-party, the contents of the message remain secure unless the third-party has independently obtained the key to decipher the message.
Encryption is what is known as an “addressable standard” in the HIPAA Security Rule; it is not required in order to be HIPAA compliant, but an appropriate alternative must be in place if for some reason an organisation decides not to use encryption. Covered entities (CEs) are encouraged to consider encryption while creating their security network. An equivalent alternative safeguard is recommended if the CE takes the decision to use encryption.
The CE must fully document their decision-making process and show why an alternative security method is best for their organisation. There must be official records of this decision being made, in case a breach occurs and legal proceedings require evidence that the CE has taken the appropriate measures to be HIPAA compliant. The Department of Health and Human Service’s Office for Civil Rights (OCR) will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.
If encryption is ultimately chosen by the CE as the best option for their organisation, there are still many options to chose from. Different types on encryption offer different levels of security. HIPAA legislation is deliberately vague when it comes to mentioning any specific type of encryption methods. This is to allow for both flexibility for the organisation to adopt security measures in line with the organisation’s needs, and to allow for legislation to “age” well in a time when technology is advancing at a rapid pace.
For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to be highly insecure.
HIPAA-covered entities can obtain up-to-date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. This recommendation could change over time, so it is important to check NISTs latest guidance before implementing encryption for email.
Secure Messaging and HIPAA
Secure messaging is an increasingly popular replacement for traditional email communications within an organisation. Secure messaging solutions are designed to fulfil all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device. Recent surveys have shown that up to 80% of healthcare professionals are now heavily reliant on their mobile devices at work. Installing secure messaging solutions onto devices allow for a streamline, secure way of sending PHI between healthcare professionals while integrating the convenience of modern technology.
Secure messaging solutions have a range in inbuilt safeguards to ensure the integrity of PHI. Authorized users must log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.
Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.
As secure messages have a format that is quite similar to text messages, they also improve the efficiency in communications between healthcare professionals. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours. The rapidity with which people respond to text messages could lead to vital improvements in patient care.
This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is significantly more effective than email, and less trouble to implement than resolving HIPAA compliance for email. There is a huge variety in the number of secure messaging solutions available, with some specialising in providing services for healthcare professionals. It is recommended that an organisation explores several options to decide which is the best fit for their specific needs.
Encrypted Email Archiving for PHI
Organisations are not only required to ensure that emails are secure while in transit or being stored on devices while they’re in use, but when they are archived once they have served their immediate purpose. Encrypted email archiving has become an attractive solution for CEs tasked with storing vast amount of patient data. CEs are required to retain past communications containing PHI for a period of six years. Depending on the size of the CE, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations if encrypted email is not used.
Third-party individuals who provide an email archiving service are regarded as Business Associates. By the HIPAA Security Rule, they must adhere to the same standards as covered entities. Therefore, their service must have access controls, audit controls, integrity controls, and ID authentication to ensure the integrity of PHI. To comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving. Ultimately, it is the CE’s responsibility to ensure that their business associates adhere to these standards.
Aside from solving the storage issue, encrypted email archiving for PHI offers other practical advantages. As the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a CE’s servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.