HIPAA Email: Does it Require Encryption?
HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:
- encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
- there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned
What exactly is mutual consent?
Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.
Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA complaint systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.
Encryption at rest is ‘addressable’
‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.
For example, encryption at rest is addressable – not required but great-to-have. It is required in areas deemed high-risk after a risk analysis. Data in storage at internal data centers may not be encrypted as the risk that it will be exposed arises when the disk is stolen, moved or decommissioned. The same logic can be applied to any removable media or portable device. Here, data can be transferred between locations or sent via the internet – in which case, the data will be in motion and hence vulnerable, requiring encryption. Encryption is also necessary when you want to protect any sensitive data on a device upon its disposal to avert any risk of the data being accidentally or intentionally retrieved.
Copiers and fax machines do not usually contain personally identifiable information, ePHI, confidential business information or intellectual property, can be secured in other ways. Fixed workstations in protected areas of your facility can be kept reasonably secure through biometrics, geofencing or a K-Lock. However, desktops used in shared workspaces, public areas or nurse stations, as well as laptops used outside of the organization should be encrypted.
You can encrypt an entire hard drive or individual files on it. Disposing of an encrypted drive is as easy as deleting the encryption keys. Disposing an unencrypted drive requires physical destruction of the drive or a drive sanitization using a low-level wiping tool.
At-rest encryption solutions for email
Email messages sent via SecureLine Escrow are encrypted and stored in a secure database. They are encrypted at rest and in transit. Messages sent via PGP and S/MIME are also encrypted at rest and during transmission. SecureLine Auto-Decrypt automatically decrypts inbound PGP and S/MIME encrypted email as it arrives, storing it as regular email in your account. There are some disadvantages of at-rest encrypted email (when the encryption is not just “full disk” encryption), as discussed here.
Secure email archiving calls for encryption
A secure email archiving system mandatorily requires encryption during export to ensure the integrity of ePHI. Ideally, you should also encrypt stored email messages. Auditing controls are also necessary to meet the administrative safeguards of the HIPAA Security Rule. Only authorized personnel should be able to retrieve archived emails when required, such as during audit requests.
Encryption in transit
Data is most vulnerable when it is in motion. Email can be sent to the wrong recipient, shared insecurely or hacked by malicious elements. Encryption of messages in transit is 100% needed and should be your go-to minimum solution to secure ePHI transmitted via email.
Popular email providers like Gmail, GoDaddy, Yahoo and Host Gator are not HIPAA compliant. Even if your email provider secures email with TLS encryption, there is no guarantee that your messages will be delivered securely. If the recipient’s email provider does not support TLS, your message could be transmitted unencrypted in plain text.
Encrypting individual messages and hard drives
As mentioned earlier, you can encrypt individual messages on a hard drive or the entire drive. By encrypting hard drives, you protect all the data on them, including sent email and email folders, and enjoy peace of mind knowing that patient data cannot be leaked in the event of theft. If full-disk encryption is not possible, you should consider encrypting specific files/folders containing sensitive data.
In any case, you should avoid storing PHI on external hard drives, USB flash devices, laptops and mobile devices unless absolutely necessary. If you must, the HIPAA Security Rule recommends that the data be encrypted or anonymized.