What is HIPAA compliant email?

Are Emails HIPAA Compliant?

The changes made to the Health Insurance Portability and Accountability Act (HIPAA) in 2013 failed to clear much of the ambiguity regarding the HIPAA compliance of emails. The HIPAA Security Rule has been criticised; it did not explicitly ban the use of email to communicate PHI, but instead introduced several requirements to be met before email communications can be considered HIPAA compliant.

HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security must be fulfilled to:

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Some HIPAA CEs have argued the case that encrypting emails is sufficient to ensure HIPAA compliance. However, HIPAA email rules do not deem encryption alone sufficient to fulfil the audit control requirements of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Some required functions are so complex that no adequate solution has yet been created. One such issue is the creation of an audit trail and preventing the improper modification of PHI. Therefore, to render emails HIPAA compliant, CEs are required to invest a significant number of IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.

HIPAA Email Encryption Requirements

HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

Even though encryption is only one element of HIPAA compliance for email, its importance is heavily emphasised by legislators. It ensures that in the event of a message being intercepted, the contents of that message cannot be read.

Encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. Confusingly, encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities are encouraged to consider encryption while creating their security network. An equivalent alternative safeguard is recommended if the CE takes the decision to use encryption.

A covered entity decision on whether encryption is appropriate is largely based on the level of risk involved. They are required to conduct a risk assessment to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. HIPAA requires a risk management plan to then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. There must be official records of this decision being made, in case a breach occurs and legal proceedings require evidence that the CE has taken the appropriate measures to be HIPAA compliant. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

Different forms of encryption offer different levels of security. HIPAA neglects to mention specific encryption methods in its legislation, as technological advances are unpredictable and their requirements may quickly become outdated. For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to be highly insecure.

HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email.

Secure Messaging and HIPAA

Secure messaging is an appropriate substitute for emails as it fulfils all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device. As up to 80% of healthcare professionals are now heavily reliant on their mobile devices at work, this seems like a promising solution to the problem.

Authorized users must log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.

Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.

The primary benefit of secure messaging when compared to email is the speed at which people respond to text messages. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours. For those working in the medical field, this discrepancy becomes very important.

This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than email, and less trouble to implement than resolving HIPAA compliance for email.

Encrypted Email Archiving for PHI

Encrypted email archiving has become an attractive solution for CEs tasked with storing vast amount of patient data. CEs are required to retain past communications containing PHI for a period of six years. Depending on the size of the CE, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations if encrypted email is not used.

Vendors providing an email archiving service are regarded as Business Associates. By the HIPAA Security Rule, they must adhere to the same standards as covered entities. Therefore, their service must have access controls, audit controls, integrity controls, and ID authentication to ensure the integrity of PHI. To comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.

Aside from solving the storage issue, encrypted email archiving for PHI offers other practical advantages. As the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a CE’s servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.