Does HIPAA Compliance for Email Have to Involve Encryption?
Healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities must address HIPAA compliance for email services if they are to be used to send the transmit the health information of patients and health plan holders.
Many covered entities have assumed that encryption is an essential element of HIPAA compliance for email, and any email communications containing PHI must be encrypted to avoid a compliance penalty. However, that is not strictly true. HIPAA compliance for email does not mean encryption must be used, but a covered entity must give encryption full consideration.
Encryption may be an addressable issue, but it does not mean that encryption can be ignored. If the decision is taken not to encrypt ePHI in emails, the decision must be documented along with a valid reason why encryption has not been used. A covered entity must also implement an alternative security measure instead that provides an equivalent level of protection.
To determine whether encryption is necessary, HIPAA-covered entities should conduct a comprehensive, organization-wide risk assessment. They must look at the HIPAA Security Rule requirements for email – 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1) – and ensure the technical standards for access control, integrity, and transmission security are met.
HIPAA compliance for email means a covered entity must implement technical controls to prevent the accessing of ePHI by unauthorized individuals. Only individuals who are required to have access to ePHI must be able to gain access to the information.
Policies must be put in place to ensure ePHI cannot be tampered with or destroyed, and technical controls must be implemented to prevent unauthorized access during the transmission of ePHI.
Providing access controls are in place, encrypting all emails to the standards stipulated by NIST will prevent tampering, unauthorized access, and interception of ePHI in transit.
However, covered entities must also adhere to the 45 CFR § 164.312(b) standard which requires audit controls to record and examine activity in information systems that are used to store or transmit ePHI. Encryption alone will therefore not solve the problem of HIPAA compliance for email, although it is an important security control.
HIPAA and Web-Based Email
HIPAA does not prohibit the use of web-based email services. However, before using such as service to send ePHI, the covered entity must obtain a business associate agreement from the service provider and obtain assurances that any PHI sent via the email service will be protected to the standards demanded by HIPAA. Google is willing to sign a BAA for some services – Google Drive for instance – but Gmail is not covered by the BAA. As a general rule of thumb, web-based email should be avoided. There are few services that meet HIPAA requirements for data security.
HIPAA and Emails to Patients
Covered entities can send emails to patients and those emails can contain the patient’s PHI. It is even permissible to send ePHI to a non-secure account such as Gmail. However, prior to sending ePHI, a covered entity must have consent to send ePHI via email from the patient. Consent should be in writing and patients must be informed via a HIPAA release form that their chosen method of communication is not secure.
HIPAA Compliance for Email Storage
Covered entities are required to retain email communications for a period of 6 years, which can place a significant strain on resources. The volume of emails sent by all employees over a 6-year period means significant space must be devoted to storing those emails. While backups can be used, many covered entities opt to use a third-party email archiving service.
HIPAA-compliant email archives are encrypted, have access controls and audit controls and encrypt all data at source, including messages and message attachments. Since emails are indexed and searchable, retrieving communications is a quick and easy process. It also eases the burden on IT departments which can free up email server and storage space. Emails can also easily be recovered in the event of disaster, such as a ransomware attack.
Secure Text Messaging – An Alternative HIPAA-Compliant Communication Method
Healthcare organizations may not be able to abandon email altogether, although implementing a secure text messaging service solves many of the issues with HIPAA compliance for email. Secure text messaging platforms allow messages to be rapidly sent to users’ mobile devices, speeding up communication considerably.
The secure messaging platforms incorporate all of the necessary Security Rule technical specifications and messages are protected by end-to-end encryption. HIPAA-compliant secure text messaging platforms can also be used to send attachments such as medical test results and images. The platform can also be used on desktop computers in addition to mobiles, and serve as a convenient and efficient replacement for email that improves workflows.