Patrick Sullivan
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
A HIPAA compliant covered entity fulfills HIPAA requirements by making a concerted effort to protect patients’ PHI from negligence, theft, and/or accidental breach. This includes when healthcare providers have to communicate with patients or other providers where PHI is involved.
Today, the best way for a covered entity to communicate electronically is through HIPAA compliant email.
But how do you make your email HIPAA compliant? What must be done so that electronic PHI (ePHI) can be safely sent to patients and other CEs?
What is HIPAA compliance?
The U.S. Department of Health and Human Services (HHS) enacted HIPAA to combat fraud and abuse as related to PHI. The HHS Office for Civil Rights (OCR) regulates and enforces the Act, which consists of five sections (or titles).
Most associated with the Act is Title II, the actual security measures a covered entity must maintain for HIPAA compliance. Several addendums clarify and explain how to maintain compliance, including the Privacy Rule and the Security Rule.
The Privacy Rule created the national standards on disclosing and using PHI while the Security Rule provides the how of ePHI protection.
The Security Rule further specifies the administrative, physical, and technical safeguards necessary for compliance. If such safeguards are in place, the chance of a data breach or HIPAA violation, or any OCR penalties, is less likely.
What is HIPAA compliant email?
Email is a valuable communication tool because of how easily it connects users worldwide. But as email use grows, so does the sophistication of cyberattacks; email is a prime threat vector for data theft.
Threat actors want to steal data (e.g. PHI), for knowledge or ransom. Cyberattacks through tools like malware have recently seen a drastic rise in use.
However, this should not be a deterrent to CEs looking to communicate through email. HIPAA compliant email ensures data protection because it adheres to all of HIPAA’s security standards.
There is no certification required for HIPAA compliant email which is why understanding HIPAA requirements is the best place to start.
As long as CEs employ solid email security to protect outbound email during transit, as well as in storage, they have safeguarded PHI. CEs maintain HIPAA email compliance by:
- Utilizing a HIPAA compliant email service
- Ensuring proper encryption protocols are followed
- Guaranteeing all employees follow best email practices
Some CEs may offer a patient portal as an alternative means of communication. But HIPAA compliant email provides the same security as secure portals with easier access and simpler communication capabilities.
HIPAA compliant email providers
Many email service providers safeguard email but not all are HIPAA compliant. In fact, popular email providers (e.g., Gmail and Microsoft Outlook) on their own are not HIPAA compliant.
To choose a provider, CEs must ask:
- Is the service really HIPAA compliant?
- How easy is it to use?
- Does it integrate with my existing IT system?
- Does it require new procedures and training?
- Does it provide good customer support?
- Are there hidden costs?
Moreover, a covered entity needs to ensure that the email provider, as a BA, signs a Business Associate Agreement (BAA).
This agreement outlines the responsibilities of a BA; without it, there is no guarantee that the BA is HIPAA compliant and can result in a fine. And even then, a covered entity must still ensure its email system is configured correctly.
Encryption and HIPAA compliant email
According to HIPAA, encryption needs are specified by two main terms: required and addressable. All required elements must be included within a cybersecurity program while those that are addressable do not.
In fact, if after a risk assessment a covered entity determines email encryption is not appropriate, its next step would be to document and find another applicable solution.
As a matter of fact, there is no suitable alternative to email encryption for adequate PHI protection.
Proper email encryption protocols ensure secure communication, and current NSA guidelines state that the most suitable is Transport Layer Security (TLS) 1.2 or above. As a Secure Socket Layer (SSL) descendent, TLS encryption addresses the problems with all previous SSL versions by providing extra protective layers. Moreover, TLS protocol encrypts every type of internet traffic, including web, email, and usenet.
Employees and HIPAA compliant email
And finally, HIPAA compliant email must also focus on another aspect of email security: employee awareness training.
Human error makes it simple for malware and ransomware to get into any network. Anyone could easily be exploited through phishing and social engineering without proper training.
In addition, if a healthcare provider’s email system does not support blanket encryption, a staff member must make a choice with each email whether or not to enable HIPAA compliance. This opens the door even wider for human error.
A good training program includes policies on access controls, patient consent, who can access PHI, and when it is okay to send PHI and to whom.
It lets employees know what to look for, how to avoid a scam, and what to do after a breach. Continuous, up-to-date, and constantly tested training encourages employees to recognize and block malicious emails.
Many healthcare providers also opt for strong inbound email security including data loss prevention (DLP) services since CEs are a prime target for cyberattacks, especially through domain name spoofing attacks.
A sound method of communication—HIPAA compliant email
Knowing what HIPAA is and what tools are needed for compliance is important. And the three facets of HIPAA compliant email—a compliant email provider, email encryption, and robust employee training—work in tandem to create a secure method of communication for CEs.
In summary, to ensure HIPAA email compliance, CEs must:
- Use an email provider that follows HIPAA guidelines and will sign a BAA
- Employ modern email encryption to secure all emails
- Train staff how to be reliable email senders/receivers
Learning about best communication practices and, especially how to make your email HIPAA compliant is something all CEs must learn about today.