HIPAA Email Compliance

Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the defining authority on how the healthcare industry handles patient-related information and is dedicated towards maintaining integrity of patient health information (PHI) across every medium of communication, including emails.

HIPAA doesn’t prohibit using email as a medium for sending electronic PHI records or e-PHI. However, it has ensured that the security of patient information via email-based communication is not compromised. Thus, the HIPAA Security Rule specifies standards for making transmission of PHI via emails secured. The Security Rule specifies some regulations in this regard. These include standards for:

• Access control (45 CFR § 164.312(a))
• Integrity (45 CFR § 164.312(c)(1))
• Transmission security (45 CFR § 164.312(e)(1))

Email Pros has implemented these standards in our services and is fully compliant with HIPAA policies by following recommended procedures, aimed at maintaining the integrity of PHI by restricting unwarranted access to e-PHI. The standard for Transmission Security is elaborative and provides specifications regarding the encryption requirements and other integrity controls when sending PHI via emails.

All covered entities should assess the nature of their open communication networks and adopt suitable means to ensure the safety of e-PHI sent via emails. To ensure that their adherence to Security Rule’s recommendations can be substantiated, a covered entity should outsource their email hosting to a HIPAA compliant email service provider such as Email Pros.

In 2010, the HITECH Act went into effect, amending the HIPAA Privacy and Security Rules. One of the most notable changes is in the penalties for a breach of patient information for a violation of patients’ rights under HIPAA. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, the maximum penalty is $1.5 million. Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved.

 

HIPAA Email Archiving

Though HIPAA puts forth some standards for sending PHI via emails, it doesn’t lay down specific regulations regarding email archiving. However, it does recommend archiving emails in a safer and comprehensive manner since archiving of emails (carrying PHI) contributes towards making e-PHI more secure.

Why should covered entities archive emails?

• Compliance – The Six-Year Retention Rule in HIPAA makes it mandatory to maintain PHI records for at least six years and this is applicable to electronic PHI or e-PHI too. This applies to all entities handling patient information, including insurance firms, healthcare providers, clearing houses and employers providing healthcare benefits. Email Pros' Advanced Archiving System is highly capable and dexterous to allow easy retrieval of emails for the mandated preservation period of PHI for up to six years.

• Litigation Support – Every covered entity needs to secure itself against the possibility of litigations that are very common in the healthcare industry. During litigation-based research, PHI data, stored and indexed properly as a part of email archives is a handy solution.

• Guarding Against the Future – Most analysts believe that HIPAA regulations regarding email communications carrying PHI are very likely in the near future. Thus, updating your organization from an email-archiving perspective is inevitable.

 

HIPAA Email Encryption

The HIPAA Security Rule does put forth some recommendations towards ensuring that e-PHI or electronic patient health information too meets the standards set for maintaining integrity of PHI. Among the various recommendations in this niche, Email Encryption is an important issue.

The benefit of using encrypted emails is rather simple to understand—it ensures that information (PHI) carried in emails cannot be intercepted by an unintended party. This includes the actual message contained in the email and any attachments.

Overview of How Encryption is Done

Encryption can be understood as a method of converting plain text into cipher-text, using a key. Thus, during its transmission via the Internet, data cannot be interpreted by any unreliable entity. This cipher-text is converted back into plain text using similar keys by the email recipient. The keys used here are essentially complex sequences of algorithms, present within systems powered by Email Pros.

The Security Rule of HIPAA addressed encryption as an ‘addressable specification’. This essentially means that it acknowledges the criticality of ensuring encryption for limiting access to PHI and stringent regulations. Any form of data leakage due to the absence of encryption solutions is very likely to create a direct liability in the form of non-compliance of HIPAA mandates.

HIPAA Security Rule does not regulate that internal e-mails on the wired network of a workplace should be encrypted. However, encryption is required when emails are communicated across open networks like the Internet and even wireless LAN networks. Per the diagrams below, Email Pros provides the same strong encryption that banks use to secure their connections for online banking.