The Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information (PHI). When stored or transmitted electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard the integrity and confidentiality of electronic protected health information (ePHI). The most common way in which ePHI is shared is via email. No wonder HIPAA-compliant email security is a critical concern for healthcare organizations, with most preferring to outsource this item to knowledgeable providers.
The HIPAA Email Security Rule
The section of the HIPAA Security Rule that pertains to email explicitly requires adequate protection for all patient data and does not endorse or prohibit the use of any specific technologies to ensure robust protection. The rule lays down four standards:
- Organizational requirements state the specific functions a covered entity must perform, including implementing policies and procedures, and obligations concerning business associate contracts.
- Administrative requirements relating to employee training, professional development, and management of PHI.
- Physical safeguards encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backup and storage, and the destruction of obsolete data.
- Technical safeguards ensure the security of email data transmitted over an open electronic network and the storage of that data.
HIPAA-Compliant Email Checklist
While email encryption gets most of the spotlight during discussions on email security, HIPAA regulations cover a range of behaviors, controls, and services that work together to address eight key areas.
1. Access: How can you effectively safeguard access to your email account and email messages?
- Use strong passwords that cannot be easily guessed or memorized.
- Create different passwords for different sites and applications.
- Use two-factor authentication.
- Secure connections to your email service provider using TLS and a VPN.
- Block unencrypted connections.
- Be prepared with software that remotely wipes sensitive email off your mobile device when it is stolen or misplaced.
- Log off from your system when it is not in use and when employees are away from workstations.
- Emphasize opt-out email encryption to minimize breaches resulting from human error.
2. Encryption: Given that email is inherently insecure and at risk of being read, stolen, eavesdropped on, modified, and forged (repudiated), covered entities should go beyond the technical safeguards of the HIPAA security rule and adopt a ‘better safe than sorry’ approach to email security across areas of message transmission, storage, security, and in ensuring that the business associates they engage are HIPAA-compliant.
- Your email system should be able to send secure messages to anyone with any address.
- You should be able to receive secure messages from anyone.
- Implement measures to prevent the insecure transmission of sensitive data via email.
- Explore using features to retract a sent email message if it is found to be wrongfully containing sensitive data or sent to the wrong address.
- Avoid opt-in encryption to satisfy HIPAA Omnibus Rule.
3. Backups and archival: HIPAA sets forth rules on email backups and archival that apply even when sending unencrypted messages with patient consent.
- Are there backups of your email folders?
- Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
- Have you maintained separate, permanent, and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests and support business-critical scenarios.
4. Defense: Do you have controls in place to safeguard against malicious messages?
- Use server-side inbound email malware and anti-virus scanning to detect phishing and malicious links.
- Show the sender’s email address.
- Use email filtering software to detect fraudulent messages and ensure it uses SPF, DKIM, and DMARC information to classify messages.
- Scan outbound email.
- Scan workstations for malware and virus.
- Use plain text previews of your messages.
5. Authorization: Protect others against malicious emails impersonating you by configuring your own domains with SPF and DKIM so that recipients’ email filters can identify forged emails. Also, ensure that users cannot send messages through your email servers without authentication and encryption.
6. Reporting: Setting accountability standards for email security is essential to establishing and improving your HIPAA compliance posture.
- Create login audit trails.
- Receive login failure and success alerts.
- Auto-block attackers.
- Maintain a log of all sent messages.
7. Reviews and policies: Use best practices of email security that focus on plugging vulnerabilities and preventing human errors.
- Invite independent third parties to review your email policies and user settings. Fresh, unbiased eyes can weed out issues quickly.
- Disallow the use of public Wi-Fi for devices that connect to your sensitive email.
- Create email policies that prohibit users from clicking on links or opening attachments that are not expected or requested.
8. Repeat: What you cannot manage in-house, outsource to expert providers and vendors. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.