HIPAA’s Security Rule introduced several requirements for covered entities (CEs) to address to use email communications in a HIPAA-compliant manner.
HIPAA requires CEs to implement access controls, audit controls, integrity controls, ID authentication, and transmission security. These measures must be implemented to:
- Restrict access to PHI
- Monitor how PHI iscommunicated
- Ensure the integrity of PHI at rest
- Ensure 100% message accountability, and
- Protect PHI from unauthorized access duringtransit
Contrary to popular belief, HIPAA does not deem encryption alone suﬃcient to fulfil the audit control or user authentication requirements. Encryption must be used in conjunction with other security measures to ensure that email complies with the legislation.
HIPAA Email Encryption Requirements
HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.
Even though encryption is only one element of HIPAA compliance for email, its importance emphasized by legislators. It ensures that in the event of a message being intercepted, the contents of that message cannot be read.
Encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. Confusingly, encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities are encouraged to consider encryption while creating their security network. An equivalent alternative safeguard is recommended if the CE decides to use encryption.
CEs should conduct a risk assessment to determine the threats to the PHI they hold and whether encryption should be used. If they decide not to use encryption, an equivalent security measure must be used. CEs should thoroughly document their decision-making procedure and reasons for not using encryption. In the event of a breach, the Oﬃce for Civil Rights would want to see these records to ensure that encryption was considered and a suitable alternative was implemented.
Diﬀerent forms of encryption oﬀer diﬀerent levels of security. HIPAA neglects to mention specific encryption methods in its legislation, as technological advances are unpredictable and their requirements may quickly become outdated.
HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is vital to check NIST’s latest guidance before implementing encryption foremail.
Secure Messaging and HIPAA
is an appropriate substitute for emails as it fulfils all the requirements of
the HIPAA Security Rule without sacrificing the speed and convenience of mobile
technology. These solutions require authorized users to log into the apps using
a unique, centrally-issued username and PIN that then allows their activity to
be monitored and audit trails created. All messages
containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization’s network of authorized users.
Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoﬀs when an app has not been used for a predetermined period. These solutions also allow the remote deletion of messages from a user’s device if the device is lost or stolen.
The primary benefit of secure messaging, when compared to email, is the speed at which people respond to text messages. Studies have shown 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours.
Encrypted Email Archiving for PHI
Encrypted email archiving has become an attractive solution for CEs tasked with storing a vast amount of patient data. CEs are required to retain prior communications containing PHI for six years. Depending on the size of the CE, and the volume of emails that have been sent and received; during this period, the retention of PHI can create a storage issue for many organizations if the encrypted email is not used.
Vendors providing an email archiving service are regarded as business associates (BAs). BAs must adhere to the same standards as covered entities. Therefore, their service must have access controls, audit controls, integrity controls, and ID authentication to ensure the integrity of PHI. All emails should be encrypted at the source before being sent to the service provider’s secure storage facility for archiving.
Aside from solving the storage issue, encrypted email archiving for PHI oﬀers other practical advantages. As the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a CE’s servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.