The Health Insurance Portability and Accountability Act (HIPAA) is a complicated law that sets the standards for collecting, transmitting, and storing protected health information (PHI). When information is stored or exchanged electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard its integrity and confidentiality. One of the most common ways that PHI is shared electronically is via email. Understanding how HIPAA rules apply to email is essential to meet HIPAA requirements and protect sensitive data.
The HIPAA Email Security Rule
It’s important to note that HIPAA does not require the use of any specific technology or vendor to meet its requirements. Generally speaking, the Security Rule requirements for email fall into four categories:
- Organizational requirements state the specific functions a covered entity must perform, including implementing policies and procedures and obligations concerning business associate contracts.
- Administrative requirements relate to employee training, professional development, and management of PHI.
- Physical safeguards encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backup and storage, and the destruction of obsolete data.
- Technical safeguards ensure the security of email data transmitted over an open electronic network and the storage of that data.
Below, we discuss some of the main requirements that apply to email and the steps you need to take to secure email accounts that transmit and store PHI.
HIPAA Email Rules-Compliant Email Checklist
While email encryption gets most of the spotlight during discussions on email security, HIPAA regulations for email cover a range of behaviors, controls, and services that work together to address eight key areas.
1. Access: Access controls help safeguard access to your email accounts and messages. Implementing access controls is essential to keep out unauthorized users and secure your data. Some key steps to take include:
- Using strong passwords that cannot be easily guessed or memorized.
- Creating different passwords for different sites and applications.
- Using two-factor authentication.
- Securing connections to your email service provider using TLS and a VPN.
- Blocking unencrypted connections.
- Being prepared with software that remotely wipes sensitive email off your mobile device when it is stolen or misplaced.
- Logging off from your system when it is not in use and when employees are away from workstations.
- Emphasizing opt-out email encryption to minimize breaches resulting from human error.
2. Encryption: Email is inherently insecure and at risk of being read, stolen, eavesdropped on, modified, and forged (repudiated). Covered entities should go beyond the technical safeguards of the HIPAA Security Rule and take steps beyond what is required to futureproof their communications. Some email encryption features to adopt include the following:
- The ability to send secure messages to anyone with any email address.
- The ability to receive secure messages from anyone.
- Implementing measures to prevent the insecure transmission of sensitive data via email.
- Exploring message retraction features to retrieve email messages sent to the wrong address.
- Avoiding opt-in encryption to satisfy HIPAA Omnibus Rule.
3. Backups and Archival: HIPAA email rules require copies of messages containing PHI to be retained for at least six years. To address these requirements, organizations must consider the following:
- How are email folders backed up?
- Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
- Have you maintained separate, permanent, and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests, and support business-critical scenarios.
4. Defense: Cyber threats against healthcare organizations are continually increasing. Some may be surprised to learn that HIPAA secure email requirements mandate that organizations take steps to defend against possible attackers. To defend against malicious messages, consider implementing the following technologies:
- Server-side inbound email malware and anti-virus scanning to detect phishing and malicious links
- Showing the sender’s email address by default on received messages
- Email filtering software to detect fraudulent messages and ensure it uses SPF, DKIM, and DMARC information to classify messages
- Scanning outbound email
- Scanning workstations for malware and virus
- Using plain text previews of your messages
5. Authorization: A crucial aspect of HIPAA secure email requirements is ensuring that bad actors cannot impersonate your company or employees. Configuring your domains with SPF and DKIM is essential to verify your identity as an authorized sender of mail from your domains. Also, ensure that users cannot send messages through your email servers without authentication and encryption.
6. Reporting: Setting accountability standards for email security is essential to establishing and improving your HIPAA compliance posture. Some important steps to take include:
- Creating login audit trails.
- Receiving login failure and success alerts.
- Auto-blocking known attackers.
- Maintaining a log of all sent messages.
7. Reviews and Policies: Humans are the greatest vulnerability to any security and compliance plan. Create policies and procedures that focus on plugging vulnerabilities and preventing human errors. Some ways to reduce risk include:
- Inviting independent third parties to review your email policies and user settings. Fresh, unbiased eyes can weed out issues quickly.
- Disallowing the use of public Wi-Fi for devices that connect to your sensitive email.
- Creating email policies prohibiting users from clicking on links or opening attachments that are not expected or requested.
8. Vendor Management: Most people do not manage their email in-house. Properly vetting and researching whoever will be responsible for your email services is essential. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.
LuxSci’s secure email solutions were designed to help organizations tackle complicated HIPAA email rules. Contact us today to learn more how we can help you secure sensitive data.