Does the Health Insurance Portability and Accountability Act (HIPAA) require that you encrypt your emails? As it turns out, it’s not an easy question to answer. The reality of HIPAA email encryption is more complex.
The recent “waiver of HIPAA related activities due to Covid-19” does NOT permit unsecured email transmissions.
According to the U.S. Department of Health and Human Services (HHS), “The final Security Rule made the use of encryption an addressable implementation specification.” If you think that sounds vague, you are not alone. The requirement to encrypt electronic protected health information (ePHI) has been left open to interpretation, which can lead to confusion.
Although it’s not technically required by HIPAA, encrypting all outgoing emails that include ePHI turns out to be the best practice.
Proper email encryption can help you prevent a security breach and a HIPAA violation. Read on to learn why we recommend you need to encrypt all of your emails and how to go about doing it.
What does HHS say about HIPAA email encryption requirements?
HIPAA says that it is permissible to send ePHI over an open network (meaning email) as long as the information is protected. The HIPAA Security Rule does not specify whether this requires all email to be encrypted. HHS has its reasons for keeping things open to interpretation. Technology is constantly changing and updating. At the time new regulations are written, the best practice for following those rules might turn out to be obsolete. The HIPAA Security Rule keeps regulations vague to allow for new methods when technology advances.
Encrypted email may be the best way to keep ePHI secure in the present, but in the future, technology may bring even more secure methods for protecting data.
What this means is healthcare entities and their business associates must perform a comprehensive risk analysis on their particular needs for email encryption. From the risk analysis, you can complete your risk management plan to determine what the best solution is for your organization to protect its emails.
What is email encryption?
Email encryption alters the text of an email to be unreadable to anyone without an encryption key. It requires a Public Key Infrastructure (PKI), which includes a private key known by the sender and a public key, known by the recipient. The recipients can only decrypt their messages using their unique and private key, otherwise known as a password.
Some services will encrypt emails during transmission. This may be acceptable for some users, but not for healthcare organizations. HIPAA compliance requires for your email to be encrypted from end-to-end – not just over the transmission.
You also need to be aware of the type of encryption that you use. The Data Encryption Standard (DES) used to be acceptable and secure. Now, the Advanced Encryption Standard (AES) 128, 192 or 256-bit encryptions are considered secure. NIST provides information on the latest secure encryption. If you have an IT department, they should be able to ensure you are using the proper encryption. Alternatively, you can hire a third-party vendor to provide you with a properly encrypted email server. Be certain that the one you choose is HIPAA compliant.
Does your organization need to encrypt its emails?
We’ve already established that the HIPAA rules don’t state that you must encrypt your emails. They do, however, require that you keep your ePHI protected. And if you’re transferring ePHI through email, you’re going to have to keep it secure. Today, the best way of securing email is through encryption.
According to the Security Rule, email encryption is an “addressable” implementation. Unlike a “required” implementation, an addressable implementation must be put into action if a risk assessment has shown it to be necessary. If an organization chooses not to encrypt email, they must “implement an equivalent alternative to encryption that is reasonable and appropriate.”
This finally answers the question we had at the beginning of this blog. Yes, we recommend that you encrypt your email. At this time there is no other process that is an equivalent alternative that will keep ePHI secure.
What happens if you have a security breach of ePHI?
If you’re found in violation of HIPAA standards, the Office for Civil Rights (OCR) will open an investigation, leading to possible HIPAA breach penalties. Breach penalties can be stiff and a healthcare organization can lose months or even years worth of profits. Whether the violation is deliberate or unintentional does not matter to HIPAA compliance. This is why a thorough risk assessment is so critical for healthcare organizations and their business associates.
If you need one more reason to encrypt your email, encrypted ePHI that has been breached (stolen, hacked, sent to the wrong person, etc.) is only truly “breached” if it’s not encrypted. Encrypted email is under safe harbor because it can’t be read by an unauthorized individual. This means if an encrypted email is accidentally sent to the wrong recipient, but that recipient can’t read it, you are not in violation of HIPAA.
What are the suitable encryption standards for email?
Now that we’ve established the importance of HIPAA email encryption requirements, we need to look into the best practices for keeping your organization’s emails secure.
What needs to be encrypted?
There are three aspects to sending and receiving emails that need protection: (1) the connection from the email provider, (2) the body of the message, and (3) stored or archived emails.
There are several options for keeping these three things secure:
- Cloud-based email servers. Be careful about this option. Cloud-based software is convenient for the user. Backups are easily obtained, updates can be implemented automatically, and they are accessible from almost anywhere. However, when it comes to HIPAA compliance, cloud-based email programs are not your best choice. They will only work if the senders and the recipients are all on the same email server. If recipients are not on the same server, you cannot keep their emails encrypted. This choice works if you only need an inter-office email system.
- Encrypted email services. This is a good choice for keeping ePHI secure when sending emails. This keeps the email encrypted from the sender to the recipient. Some services have extra options that prohibit downloading or copying and pasting text.
- Secure message portal. Another option to keep ePHI secure is to send an email to a recipient informing them of a secure message they can obtain when they sign in to your secure message portal with their username and password.
What other steps can you take?
- Be sure your email is configured properly. Your access to your email account should be protected by a strong password and 2-factor authentication. If you’re using a web portal to access email, you need to be sure you are on a secure URL. Your address should start with https:\\ – not http:\\. You can also look for the yellow padlock sign in the address bar.
- Encrypt ALL emails. Some email encryption programs let you choose whether to encrypt. The best practice is to encrypt every single – official and healthcare-related – email sent by your organization. There are two reasons for this. One is if you are only encrypting emails that contain sensitive information, hackers will take note that only some emails are encrypted. This is like sending a red flag out to hackers that your email contains ePHI. Secondly, to eliminate human error, it’s best to encrypt everything you send out. If employees are only encrypting certain emails, they may easily forget to encrypt an email that contains ePHI.
- Train your staff. Software programs can only do so much. You must properly train your staff in HIPAA email encryption requirements. You need to implement strict email policies and train your staff on them to avoid accidental data breaches.
- Retain all your emails. Some email services provide features that easily allow users to archive all emails. This is a great method of keeping all of your emails in an easy-to-access location in the event of an audit. Under the HIPAA Security Rule, organizations are expected to keep emails for a minimum of six years. This requires a lot of storage space. You may want to choose an encrypted email service that also provides encrypted email archiving so you can retain emails while keeping them easily accessible in case a patient requests information or you need them for an audit.
- Get your patient’s consent before sending them emails. Before communicating with patients via email, they need to sign a consent form. Not only do you need their consent, but you also must apprise them of the risks associated with communication by email.
- Email disclaimer. Your legal department or other experts can help you with the exact wording to use on a disclaimer in your emails. However, you should note that a disclaimer does not excuse you from unencrypted emails containing ePHI. It simply lets the recipients know that there is always a risk to any kind of email communication. If you’re sending data unencrypted, you will still be held responsible for a breach.
- Obtain a business associate agreement (BAA) from your email provider. If you choose the route of a third-party email encryption software, the vendor should provide you with a HIPAA-compliant BAA that outlines their responsibilities and guarantees the emails will be encrypted from end-to-end. If your email provider does not want to do this, look elsewhere for a provider that will.
Get expert advice
As with everything HIPAA related, there is a lot of complex information to learn about HIPAA compliance and email encryption. Just because you are unaware that you are committing a breach, will not protect you from penalties and fines.
If you are concerned about HIPAA security breaches, seek help, conduct a HIPAA Risk Assessment for your organization that includes how to handle HIPAA email encryption requirements. If you feel insecure, use a third-party consultant to conduct a risk assessment.