HIPAA Compliant Email Encryption
By Chris Blank
Introduction to HIPAA
The U.S. Health Insurance Portability and Accountability Act of 1996, better known by its acronym, HIPAA, was designed to preserve patient privacy and preserve the security of sensitive health-care related information. Although HIPAA was developed primarily to deal with paper documentation and files, it has been updated to address the growing phenomenon of electronic record keeping and data transmission. HIPAA's final Privacy Rule was published in December 2000 and modified in August 2002. Enforcement of the Privacy Rule began April 14, 2003. Health care providers were required to adhere to HIPAA regulations regarding Patient Health Information (PHI) beginning on April 30, 2005. The Office for Civil Rights within the Department of Health and Human Services became responsible for implementing HIPAA regulations on July 27, 2009.
The Security Rule section of HIPAA does not specifically prohibit sending PHI or sensitive legal data by email. However, if you're a physician communicating with a patient, using email to transmit sensitive information from patient healthcare records can lead to trouble. Messages containing PHI that are transmitted by unencrypted email are vulnerable to hackers, identity thieves and plain old misdirection.
Nonetheless, during the past 20 years, email has replaced regular mail and even faxes for much of the written communication that takes place between individuals and in business. Former President George W. Bush and President Barack Obama have both advocated for a general transition to electronic record-keeping as a means of more efficient data storage and to allow easier portability of patient records between health car providers.
Fortunately, it's not necessary to give up the convenience and speed of email to comply with HIPAA regulations. The information included here will help you understand how HIPAA regulations impact electronic communications within your office and between you and your patients or clients. This information will empower you to choose a secure email transmission system that is up to the task of protecting PHI and sensitive legal client data from prying eyes, and that is also capable of protecting you from potential adverse legal action. This involves addressing three areas associated with protecting privileged PHI: technical, administrative and physical.
Under HIPAA regulation 45 CFR 164.312(a) (2) (IV) and (e) (2) (ii), covered entities, including physicians and other health care providers, must employ encryption methods to safeguard PHI. Providers must evaluate how open networks are utilized, and identify adequate means to protect sensitive data transmission. HIPAA compliance also demands that encryption keys must never be stored on the same server as email or other transmission.
This encryption requirement applies for data that is transmitted over open email transmission networks, as well as for data being stored on servers for any length of time. Data and email messages transmitted over closed systems, such as an internal intranet, are not required to be encrypted, although encryption is allowed. The gold standard is military-grade 256-bit encryption; the same level of security that the U.S. government uses to safeguard data that is critical to maintain national security.
Under the Department of Health and Human Services special publication 800-88, "Guidelines for Media Sanitization," third-party email transmission systems must also destroy electronic files containing PHI at regular intervals. Ideally, third-party email transmission systems also include a multi-pass wipe system as a backup. Adequate protection and HIPAA compliance can be achieved by a US DoD 5220.22-M (8-306./E) three-pass data destruction system.
HIPAA regulations require detailed audits and record keeping concerning access to privileged data. These records must describe who accessed the data, what dates the data was accessed, how many times each person accessed particular data files, how much of the data was accessed during each occurrence, and with whom the data was shared, along with details of precisely what data was shared. These regulations not only apply to transmission of messages containing PHI between provider and patient, but to the internal handling and storage of PHI by authorized staff members and other medical professionals treating particular patients.
Additional safeguards include assigning unique usernames and requiring strong passwords for every individual who has the authority to access patient data. Electronic data storage and email transmission systems can also be set to restrict access to data according to the function of the user so that each user within a provider's office only has as much access as needed to perform his or her job. This allows providers to document and trace any authorized and unauthorized access to confidential data
Ensuring that email and other electronic transmissions are received only by patients or other authorized individuals is another essential aspect of safeguarding PHI. Telephone callbacks and text message validation of each unique transmission are two examples of administrative safeguards for electronic transmission of messages that contain PHI.
In addition, while third-party email transmission systems cannot and must not provide long-term storage of email messages, short-term storage is appropriate and beneficial. This feature allows authorized recipients a reasonable time to download large attached documents. Look for email transmission systems that provide short-term encrypted storage of messages, with a notification system to alert recipients of waiting messages.
In the unfortunate occurrence of a security breach, HIPAA rules CFR 64.505(e) (2) (ii) (C) and 164.314. (a)(2)(i)(C), along with the Health Information Technology for Economic and Clinical Health Act (HITECH Act), included in the American Recovery and Reinvestment Act of 2009 (better known as the stimulus) require notification of any potential exposure of PHI. Ideally, email encryption systems would provide immediate notification; however, under rule Section 164.410(b), notification should take place no later than 60 days following a breach. However, email encryption systems that store data only in encrypted form and destroy data on a regular basis would be much less vulnerable to such exposure.
Maintaining system uptime is an essential element of HIPAA compliant email transmission systems. Your patients' data must be available to you and to your patients 24 hours per day, 365 days per year, period. Maintaining the near 100 percent uptime necessary to ensure vital data access requires building redundancy into the server system. In the event of fire or other catastrophe that knocks out the main server, a backup or redundant server seamlessly takes over. If your third-party email transmission system does not offer a redundant or other contingency strategy to ensure near 100 percent uptime, look elsewhere for an email provider.
Healthcare providers are held to the highest standard of care in dealing with patients as well as with their data. At the same time, patients demand that those who provide their care keep up with the most current innovations, including technological advances. Using HIPAA-compliant email transmission and encryption systems balances convenience and speed with the security necessary to preserve the privacy of patient information.
About the Author
Chris Blank is an independent Chicago-based writer, researcher and policy analyst who provides consulting services to NGOs, municipalities, state-level agencies and commercial clients. Chris Blank specializes in issues pertaining to sustainability, technology, current affairs and culture from a progressive viewpoint. Blank holds a Masters degree in Sociology and a Law degree, both from Northwestern University.
NEXT ARTICLE: OVERVIEW OF EMAIL ENCRYPTION SYSTEMS
Additional HIPAA resources
US Government information about the HIPAA security rule.
Final HIPAA security rule (2003)
HIPAA security 101
Karen Trudel, Deputy Director of the Office of HIPAA standards at CMS, "...the HIPAA security standards were carefully crafted to be ‘technology neutral’ and to allow health care providers wide latitude to devise their own security policies and practices based on their own risk assessments and risk management efforts geared to their specific size and complexity.