HIPAA-Compliant Email Checklist – 8 Things You Need to Know
The Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information (PHI). When stored or transmitted electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard the integrity and confidentiality of electronic protected health information (ePHI). The most common way in which ePHI is shared is via email. No wonder then that HIPAA-compliant email security is a critical concern for healthcare organizations, with a majority preferring to outsource this item to knowledgeable providers.
The HIPAA email security rule
The HIPAA Security Rule pertaining to email explicitly requires adequate protection for all patient data and does not endorse or prohibit the use of any specific technologies to ensure robust protection. The rule lays down four standards:
- Organizational requirements stating the specific functions that a covered entity must perform, including the implementation of policies and procedures and obligations with respect to business associate contracts.
- Administrative requirements related to the training, professional development and employee management covering PHI.
- Physical safeguards encompassing the security of computer systems, servers and networks, access to the facility and workstations, data back-up and storage and the destruction of obsolete data.
- Technical safeguards that ensure the security of email data transmitted over an open electronic network as well as the storage of that data.
Checklist for eight areas of email security
While email encryption gets most of the spotlight during discussions on email security, it covers a range of behaviors, controls and services that work together to address eight key areas.
1. Access: How effectively can you safeguard access to your email account and email messages?
- Use strong passwords that cannot be easily guessed or memorized
- Create different passwords for different sites and/or applications
- Use two-factor authentication
- Secure connections to your email service provider using TLS and/or a VPN
- Block unencrypted connections
- Be prepared with software that remote wipes sensitive email off your mobile device when it is stolen or misplaced
- Log off from your system when it is not in use and you’re not at your desk
- Emphasize opt-out email encryption to minimize breaches resulting from human error
2. Encryption: Given that email is inherently insecure and at a risk of being read, stolen, eavesdropped on, modified and forged (repudiated), covered entities should go beyond the technical safeguards of the HIPAA security rule and adopt a ‘better safe than sorry’ approach to email security across areas of message transmission, storage, security, and in ensuring that the business associates they engage are HIPAA compliant.
- Your email system should be able to send secure messages to anyone with any address
- You should be able to receive secure messages from anyone
- Measures should be in place to prevent the insecure transmission of sensitive data via email
- Explore the use of features to retract a sent email message if it is found to be wrongfully containing sensitive data or to have been sent to the wrong address
- Avoid opt-in encryption to satisfy HIPAA Omnibus Rule
3. Backups and archival: HIPAA sets forth rules on email backups and archival even for unencrypted email containing ePHI that are mutual consent cases.
- Are there backups of your email folders?
- Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
- Have you maintained separate, permanent and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests and support business-critical scenarios.
4. Defense: Do you have controls in place to safeguard against malicious messages?
- Use server-side inbound email malware and anti-virus scanning
- Use server-side inbound email scanning for phishing email
- Use server-side inbound email scanning for malicious links
- Show the sender’s email address
- Use filtering software to detect fraudulent messages, and ensure it is using SPF, DKIM and DMARC information to classify messages
- Scan outbound email
- Scan workstations for malware and virus
- Use plain text previews of your messages
5. Authorization: Protect others against malicious email impersonating you by configuring your own domains with SPF and DKIM so that recipients’ email filters can identify forged email. Also ensure that email cannot be sent through your email servers without authentication and encryption.
6. Reporting: Setting accountability standards for email security is an essential part of establishing and improving your HIPAA compliance posture.
- Create login audit trails
- Receive login failure and success alerts
- Auto-block attackers
- Maintain a log of all sent messages
7. Reviews and policies: Use best practices of email security that focus on plugging vulnerabilities and preventing human errors.
- Invite independent third parties to review your email policies and user settings. Fresh unbiased eyes can weed out issues quickly.
- Disallow the use of public Wi-Fi for devices that connect to your sensitive email
- Your email policy should prohibit clicking on links or opening attachments that are not expected or requested
8. Repeat: What you cannot manage in-house, outsource to expert providers and vendors. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.