Email is one of the most convenient ways of communicating with patients. HIPAA permits email communications, but expects covered entities to take the necessary precautions to protect the integrity and security of patient health information shared via email. Ensure you are not at risk by implementing secure email in your organization.
Secure Email and HIPAA
HIPAA email rules require covered entities to implement controls and security to restrict access to PHI, ensure the integrity of PHI at rest, safeguard PHI against unauthorized access during transit and ensure message accountability. The language of the HIPAA Security Rule is important as some standards are ‘required’ and some ‘addressable.’ Required rules must be mandatorily followed while you may or may not implement addressable rules if a thorough risk analysis concludes that implementation is not reasonable. An implementation specification deemed unreasonable can be replaced by an equivalent alternative.
Any decision you take regarding addressable specifications needs to be documented in writing. That means you cannot simply “opt out” of addressable specifications.
Sending PHI by email? Consider these risks
When transmitted via email, PHI is exposed to many risks, such as:
- the message could be mistakenly sent to the unintended recipient
- the email could be captured en route to the recipient.
- the message could be inappropriately accessed when in storage.
Imagine a scenario where a state Medicaid agency’s online form service provider emails information on forms to designated employees within the agency when the forms are submitted. If the email is not transmitted in a secure manner, then the PHI in the forms can be exposed. The compromised data can include names, addresses, birth dates, email addresses, admission and enrollment dates, Social Security numbers, Medicaid identification numbers, insurer name, medical condition, and more.
Although there is a small risk of the data being intercepted during transmission, it cannot be waived away. Mitigating the potential misuse of PHI is challenging and it is impossible to predict if someone who does capture PHI en route will use it for personal gain, commercial advantage or malicious harm. Better safe than sorry.
Encryption is an addressable standard, but you should not ignore it
Encryption is an addressable standard for email and data at rest. Still, it is a critical element of HIPAA compliance, particularly if email is your chief mode of communication. HIPAA does not specify the method of encryption, so you can consider various measures to maintain high levels of email security. Two main types of encryption can counter the common security problems encountered in email communications: symmetric encryption and asymmetric encryption.
Symmetric encryption involves encrypting a message into ‘cyphertext’ using a key shared by you and your correspondents. Cyphertext appears as a random sequence of characters, which can be decrypted and interpreted only with the secret key. This form of encryption deters eavesdropping of email and modification of messages in transit.
Asymmetric encryption, also known as public key cryptography, is a relatively new method compared to symmetric encryption. It uses two keys to encrypt plain text: the public key is available to anyone who wants to send you a message but the second private key is known only to you. A message encrypted with a public key can be decrypted using a private key, while a message encrypted with a private key can be decrypted with a public key.
Besides sending secure messages, asymmetric encryption allows you to prove to someone that you sent a message, sign a message to validate that it was you who sent it and help the recipient determine if the message was modified in transit, and take the most secure route – add a signature to the message and then encrypt the message and signature with the recipient’s public key. This addresses risk of eavesdropping and offers proof of sender and message integrity.
Encrypted email archiving
Email archiving is an important HIPAA-compliant email practice, enabling covered entities to retain and protect PHI-containing email messages, while also making archived email easy to retrieve, especially during emergencies, litigation discovery and compliance audits.
Email archiving providers are designated as Business Associates, and must comply with the HIPAA Security Rule as like covered entities. Check out this article to learn about when and why a BAA is required.
Choosing a secure email provider
Another conversation you will have with regard to email security is the choice of email provider. Your email provider should be cognizant of the administrative, physical and technical safeguards stipulated under the HIPAA regulations as well as provide a reliable service. Some questions that you should ask a potential provider include:
- Is the provider aware of their responsibilities under HITECH and Omnibus?
- Are they willing to advise you on your security and privacy options?
- Do they have controls in place to validate and audit each user’s access?
- What types of email encryption are offered?
- Do they dispose of data securely?
- Can they ensure emergency access to your email?
- Do they provide web-based access without requiring a third-party software?
- Will they sign a HIPAA Business Associate Agreement?