HIPAA-Compliant Email Encryption

Every healthcare professional and health-services provider in the U.S. is, and by law must be, familiar with HIPAA and HIPAA encryption compliance. HIPAA, the Health Insurance Portability and Accountability Act, became law in 1996 and was updated in 2003 to address the utilization and safeguarding of protected health information (PHI). Although the legislation has existed for a while now, recent investigations have revealed that a considerable number of healthcare providers have yet to become fully compliant with the specifications of HIPAA.

Essentially all hospitals, physicians, and clinics communicate via email. Health-related files are also frequently transmitted by email, as are insurance-plan specifics. Even travelling over a short distance, email will often be duplicated at least a few times by the multiple servers through which it passes. HIPAA encryption compliance dictates that any kind of open-network digital correspondence containing PHI must be encrypted. The law also directs that all messages be securely archived, indexed, and time-stamped, and that they be made tamper-proof and obtainable when requested.

The main advantage of using encrypted emails is easy to understand: it guarantees that PHI transmitted by means of email messages cannot be intercepted by unintended parties. This includes the actual text of the emails plus all attachments. Encryption can be understood as a system of transforming ordinary text into “cipher-text” by using a key. Thus, at the time encrypted text is transmitted over the Internet, information cannot be understood by untrusted parties. Cipher-text is then transformed back into ordinary text by means of related keys by the recipient. These keys are basically sophisticated sequences of algorithms furnished by an email system equipped with encryption features. Information that can be used to identify someone in particular, referred to as “personally-identifiable information” (PII), is guarded by law in America for good reason. This PII may be used to discriminate against, harass, or even blackmail an individual since healthcare records will often include sensitive information that an individual does not wish to be publicly disclosed. Any hospital, clinic, or individual healthcare provider transmitting such private details that are somehow leaked is answerable for such a breach and may face substantial penalties.

HIPAA encryption compliance is compulsory. Two essential elements of HIPAA relate to email encryption, the Security Rule and the Privacy Rule. These two rules stipulate that all efforts need to be taken to safeguard PHI whenever it is archived, viewed, made use of, and relayed between parties. Use of email encryption is obligatory for anyone who has permission to access or who deals in any way with PHI. HIPAA does not interdict the transmitting of PHI through emails, but the HIPAA Security Rule puts forward recommendations for guaranteeing that ePHI, or electronic protected health information, fulfills the criteria established with regard to preserving the integrity of PHI. As it pertains to email security, HIPAA is fundamentally a formal, legal enshrinement of widely-recognized best practices including: (1) assuring that all messages containing PHI are secured when sent over vulnerable links, (2) making certain that email systems and clients are rigorously authenticated so PHI cannot fall into the wrong hands, and (3) securing email message stores and servers in which PHI may be present. These privacy-protection specifications laid out in HIPAA necessitate a non-trivial compliance undertaking by healthcare providers and organizations and are among the most vigorously-enforced provisions of HIPAA. Healthcare entities failing to adequately protect these data may face fines on the order of $10,000 to $25,000 for each single instance of unauthorized PHI disclosure. If such leaks are found to have been deliberate, HIPAA provides for penalties from $100,000 up to $250,000, along with potential incarceration for those involved in such transgressions.

The HIPAA Security Rule treats encryption as an “addressable specification”. Essentially, it underscores the central importance of providing encryption for the purpose of restricting access to PHI without being especially detailed about implementation. Any type of protected-record leakage resulting from a lack of encryption creates a liability for violation of   HIPAA mandates, although “de-identified” information may be transmitted without encryption. While exact encryption methods are not stipulated by the legislation, they must ensure, at a minimum, that all PHI transmitted be made unreadable and thus unusable by hackers. Private-practice providers, clinics, and hospitals are free to research the various encryption options available in the marketplace and to select their own encryption strategies. This is beneficial in the respect that it permits a “mixed” approach in cases wherein network hardware already exists or secured archiving servers have already been set up, but encryption is still lacking. So long as email messages and attachments are encrypted when transmitted and subsequently stored securely, providers should be HIPAA-compliant.

Initially, complying with the HIPAA email regulations was labor-intensive, involving a number of different solutions in various parts of an organization’s infrastructure. Today, compliance has become much less of a challenge, and many vendors are offering systems for adequately protecting providers in one package. These solutions incorporate email encryption together with secured email storage space. HIPAA leaves the details of secure email storage to other statutes, but does indicate that PHI must stay confidential at every point in time, more than implying that any and all storage methods must be secure. There are currently specific applications available that operate parallel to or within email servers and client email software to encrypt messages prior to their transmission. These kinds of automated technologies enable individual providers and organizations to fully conform with HIPAA without having to expend additional time on administrative tasks. Thus, there is today no substantive justification for non-compliance by any enterprise dealing with PHI. The requisite means are available, prices have been reduced, and adopting these technologies is at this time therefore largely a matter of will.

HIPAA’s Security Rule doesn’t dictate that an organization’s internal emails sent only over a wired workplace intranet must be encrypted. Encryption becomes necessary when an email is conveyed over an open network such as the Internet or a wireless local area network (LAN). Currently, there are no standards with regards to minimums of encryption strength. Thus, entities working with PHI must make independent decisions in this area. By normative modern-day encryption standards, 168-bit, i.e., 3DES encryption strength is considered sufficient, although 128-bit strength is also commonly utilized. The security platform may in this respect be tailored to fit idiosyncratic workplace considerations. In the future, the U.S. Department of Health and Human Services (HHS) may delineate “addressable” encryption standards [164.312(e)(2)(ii)].



For more information on the specifics of HIPAA and HIPAA encryption compliance, you may contact or visit the website of HHS.  If you’d like help deploying or maintaining HIPAA-compliant infrastructure please head to http://touchsupport.com/hipaa-compliance/ to learn more and speak with a member of our team.