HIPAA Email Rules: What You Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) is a complicated law that defines the standards for the secure collection, transmission, and storage of protected health information (PHI). When information is stored or exchanged electronically, the HIPAA Security and Privacy Rules require covered entities, i.e., organizations that handle PHI, to safeguard its integrity and confidentiality.

One of the most common ways that PHI is shared electronically is via email, so understanding HIPAA email rules is essential for achieving compliance and protecting sensitive data.

The HIPAA Email Security Rule

It’s important to note that HIPAA does not require the use of any specific technology or vendor to meet its requirements. Generally speaking, the Security Rule requirements for email fall into four categories:

1. Organizational requirements state the specific functions a covered entity must perform, including implementing policies, procedures and obligations concerning business associate agreements (BAAs).
2. Administrative requirements relate to employee training, professional development, and management of PHI.
3. Physical safeguards encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backup and storage, and the destruction of obsolete data.
4. Technical safeguards ensure the security of email data transmitted over an open electronic network and the storage of that data.

Let’s move on to discussing some of the main requirements that apply to email and the steps you need to take to secure email accounts that transmit and store PHI.

HIPAA Email Rules: Compliance Checklist

While encryption gets most of the spotlight during discussions on email security, the HIPAA email rules, in contrast, cover a range of behaviors, controls, and services that work together to address eight key areas:

1. Access
2. Encryption
3. Backups and Archival
4. Defense
5. Authorization
6. Reporting
7. Reviews and Policies
8. Vendor Management

Let’s look at each aspect of HIPPA’s email rules in greater detail.

1. Access

Access controls help safeguard access to your email accounts and messages. Implementing access controls is essential to keep out unauthorized users and secure your data, with key steps including:

• Using strong passwords that cannot be easily guessed or memorized – and changing them frequently, e.g. every 30 days.
• Creating different passwords for different sites and applications.
• Enabling multi-factor authentication (MFA).
• Securing connections to your email service provider using TLS and a VPN.
• Blocking unencrypted connections.
• Pre-emptively installing software that remotely wipes sensitive email off your mobile device when it is stolen or misplaced.
• Logging off from your system when it is not in use and when employees are away from workstations.
• Emphasizing opt-out email encryption to minimize breaches resulting from human error.

2. Encryption

Email is inherently insecure and at risk of being read, stolen, intercepted, modified, and forged (repudiated). Covered entities should go beyond the technical safeguards of the HIPAA Security Rule and take steps that exceed what is required to futureproof their communications. Email encryption features to adopt include the following:

• The ability to send secure messages to anyone with any email address.
• The ability to receive secure messages from anyone.
• Implementing measures to prevent the insecure transmission of sensitive data via email.
• Exploring message retraction features to retrieve email messages sent to the wrong address.
• Avoiding opt-in encryption to satisfy HIPAA Omnibus Rule.

3. Backups and Archival

HIPAA email rules require copies of messages containing PHI to be retained for at least six years. In light of this, organizations must consider the following:

• How are email folders backed up?
• Are there at least two different backups at two different geographical locations? Additionally, the processes updating these backups should be independent of each other as a measure against backup system failures.
• Have you maintained separate, permanent, and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests, and support business-critical scenarios.

4. Defense

Cyber threats against healthcare organizations are continually on the increase. Some may be surprised to learn that HIPAA secure email rules mandate that organizations take steps to defend against possible malicious actors. With this in mind, consider implementing the following technologies:

• Server-side inbound email malware and anti-virus scanning to detect phishing messages and malicious links.
• Showing the sender’s email address by default on received messages.
• Email filtering software to detect fraudulent messages and ensure it uses Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) information to classify messages.
• Scanning outbound email.
• Scanning workstations for malware, i.e., viruses, ransomware, etc.
• Using plain text previews of your messages.

5. Authorization

A critical aspect of HIPAA’s email rules is ensuring that cybercriminals cannot impersonate your company or employees. Configuring your domains with SPF and DKIM is essential to verify your identity as an authorized sender of mail from your domains. Also, ensure that users cannot send messages through your email servers without authentication and encryption.

6. Reporting

Setting accountability standards for email security is essential to establishing and strengthening your HIPAA compliance posture. Important steps to take include:

• Creating login audit trails.
• Receiving login failure and success alerts.
• Auto-blocking known attackers.
• Maintaining a log of all sent messages.

7. Reviews and Policies

Humans are the greatest vulnerability to any security and compliance plan, so creating policies and procedures that focus on plugging vulnerabilities and preventing human errors is essential. Strategies for reducing risk include:

• Inviting independent third parties to review your email policies and user settings. Fresh, unbiased eyes can discover existing issues quickly.
• Preventing devices that connect to sensitive email accounts from connecting to public WiFi networks.
• Creating email policies prohibiting users from clicking on links or opening attachments that are not expected or requested.

8. Vendor Management

Most companies do not manage their email in-house, so it’s crucial to thoroughly research and vet whoever will be responsible for your email services. Perform an annual review of your email security and stay on top of emerging cybersecurity threats to take proactive action and for continued compliance with HIPAA email rules.

LuxSci’s secure high-volume email and marketing solutions are designed to help healthcare organizations tackle complicated HIPAA email rules and automate the compliance process. Contact us today to learn more about how our industry-leading HIPAA complaint email services can help you better secure your customer PHI and keep you in compliance.