How Is HIPAA-Compliant Email Different from Secure Email?

June 21st, 2017

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

HIPAA-compliant email vs secure email

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

What Is Secure Email?

Secure email can be a pretty broad term, but when most people refer to secure email they are generally talking about protecting the integrity and authenticity of emails, as well as preventing anyone except the desired recipient from being able to view the contents. There are several different technologies that can be used to secure email in this way.

To prevent hackers from accessing the information in your emails, several different forms of encryption are used to obscure the contents for everyone except those who have the key. These include SMTP TLS, PGP, S/MIME and Portal Pickup. Technologies such as S/MIME and PGP also allow you to use digital signatures, which can prove the authenticity of messages or tell the recipient whether the contents has been tampered with.

How Is HIPAA-Compliant Email Different?

Secure email is great and it should be used whenever you are sending sensitive or valuable information. Despite this,  HIPAA regulations place even further demands on how you can use your email, particularly when it comes to PHI.

To be HIPAA-compliant, email providers need to do much more than simply provide encryption. Using a non-compliant provider can result in heavy fines or even lead to data breaches that cause huge damages to your company.

The main differences between secure email and HIPAA-compliant email are:

Email Archival

HIPAA regulations can be ambiguous at times. This gives businesses more freedom in coming up with effective privacy and security solutions, but it can also make compliance confusing. While email archival isn’t specifically required by HIPAA regulations, the Security Rule states that electronic communications that contain PHI need to be kept for at least six years. Email archival provides a convenient solution for doing this and meeting several other aspects of the regulations.

HIPAA stipulates that before you move equipment, you need to create an exact, retrievable copy of your ePHI. This will be done automatically if your emails are stored on the servers of a HIPAA compliant provider.

Under HIPAA, you need to keep records of PHI disclosures for at least 3 years. HIPAA-compliant providers generally keep transmission logs, but these will not include the message content. Archiving your emails can keep a copy of the content if you ever need it for an audit.

HIPAA also states that you need procedures in place for accessing any necessary ePHI during emergencies. If your email is down when you need it most, email archival gives you a way to access this important information.

The regulation requires you to keep various other documents as well. If training details, complaints, patient records and procedural documentation are frequently sent through email, email archival gives you a convenient way to store them and meet the regulations

Without some form of email archival, you can not be in compliance.

Keeping Logs

One of the biggest differences between HIPAA-compliant email and secure email is that HIPAA requires extensive logging for auditing purposes. This logging goes even further than just keeping records of emails. To be HIPAA-compliant, email providers need to keep both physical and remote access logs to their servers. Not only can these be used in audits, but if there is a breach, they can be used to discover how it occurred and who was responsible.

For access logs to be compliant with HIPAA, they should keep time stamps for when users login, as well as their IDs. Companies should also make sure to track login failures and password resets, which can be used to uncover hacking activity.

Opt-In vs Opt-Out Encryption

HIPAA dictates that all PHI needs to be encrypted when sent in an email. While encryption is an important part of protecting our information, it can also be a hassle to use. Many businesses frequently send emails that don’t need to be encrypted, so forcing all emails to be encrypted is excessive. Because of this, many email providers offer “opt-in encryption.”

Opt-in encryption means that if the email will contain PHI or other information that needs to be encrypted, the sender can check a box or add a code to encrypt the message. This comes with several issues. Employees may be get distracted and forget to encrypt a message that contains PHI, they could mistype the code that triggers the encryption, or they just might not understand the importance of encryption enough to bother.

Considering that single violations can lead to penalties of $50,000, opt-in encryption can cost companies huge sums of money for seemingly insignificant mistakes. This is why opt-out encryption systems can be better.

Under opt-out encryption, instead of checking a box or entering a code to encrypt an email, the sender must check a box to prevent the message from being encrypted. This system can help reduce the chance of costly mistakes, because it’s not a big deal if a message accidentally gets encrypted.

In the worst case scenario, the recipient may not be able to open it and you can just send an unencrypted version of it later on. While opt-out encryption isn’t a requirement under HIPAA, it can certainly save your company from significant penalties for accidentally breaching the regulations. Opt-in encryption is too risky for HIPAA compliance.

If You Outsource Your Email, You Need to Sign a Business Associate Agreement with Your Provider

Even if your company fully complies with HIPAA regulations, it is all in vain if your email provider and other vendors don’t have the same attitude. PHI needs to be protected at all points, so if your provider is lax with the regulations, it exposes the records to vulnerabilities once they are out of your control.

This is where business associate agreements (BAAs) come in. These are contracts that are required under the HIPAA Omnibus rule of 2013. They are signed between the covered entity (for example, your company) and businesses that process or use your PHI (in this case, your email provider). These agreements are in place to ensure that the PHI is protected adequately.

Under a BAA, the covered entity needs to be assured that the business associate has the appropriate safeguards in place to keep the PHI safe. Although there are some exceptions, business associates must comply with the relevant HIPAA regulations concerning PHI in the same way that the covered entity does. If no BAA is in place, then both the covered entity is in violation of HIPAA.

The BAA between your company and its email provider may include stipulations about how data is protected, how it is backed up and how it is disposed of. To adequately protect the PHI, your business associate may need to implement technologies such as encryption, automatic log off and access control, logging, as well as other measures that are appropriate for the organizational risks.

Make Sure You Choose HIPAA-Compliant Email

Navigating HIPAA is a challenging process and there are costly fines for any errors. As email is such a significant part of business communication, companies need to ensure that they are following the regulations closely. The compliance burden isn’t just limited to your own business, but also those that you share your PHI with. Because of this, you need to ensure that you are working alongside a reliable, trustworthy and compliant email provider who can protect the PHI of your clients.