"More than IT"          951-732-7401     

HIPAA EMAIL ENCRYPTION REQUIREMENTS

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect individual privacy of personal health records, among other goals. Any entity that receives, handles, transmits, or stores an individual's Protected Health Information (PHI) or electronic PHI (ePHI) must maintain policies and tools to ensure compliance.

The prevalence of email makes this form of transmission a particular concern for entities seeking to comply with the government’s regulations for safe handling and transmission of PHI.

HIPAA and HITECH Compliance Requirements for Email

Given the complex regulations and stringent penalties that can apply in the event of a data breach or unsecured transmission of PHI, it's important that covered eneties implement the proper safeguards.

HIPAA was later amended to provide greater legal protections of an individual’s Protected Health Information (PHI). More recently, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted, which modified HIPAA in several key ways.

New notification rules for PHI data breaches as well as expanded penalties went into effect, and the act extended HIPAA’s privacy and security provisions so that they applied to both covered entities and their business associates.

Criminal penalties and fines can be imposed on businesses or individuals involved in a breach, and greater authority is now granted to the Department of Health and Human Services (HHS), the Centers for Medicare and Medicaid Services (CMS), and State Attorneys General to audit and penalize entities subject to the law.

Summary of HIPAA Security Rules Affecting Email

The provision of HIPAA that primarily affects email and transmission of ePHI is the HIPAA Security Rule. This rule has five requirements that impact email correspondence:

  • Access controls. The covered entity must have technical policies and procedures that limit access to systems containing ePHI only to staff and internal personnel with appropriate access rights.
  • Audit controls. The covered entity must use software and hardware solutions that record and examine activity in systems that contain or use ePHI.
  • Transmission security. The covered entity must have electronic security measures in place to guard against unauthorized access to ePHI transmitted over an electronic communication network.
  • Integrity. The covered entity must have policies and procedures in place that protect ePHI from unauthorized destruction or alteration.
  • Person or entity authorization. The covered entity must use procedures to ensure that an individual or entity seeking access to the ePHI is verifiable and have safeguards in place to prevent access to the ePHI from an unauthorized user.

HIPAA’s Security Rule names implementation specifications to ensure compliance with the law in the handling of PHI and ePHI. Some examples of implementation specifications include encryption protocol for emails or PHI attachments, a system that uses unique user identification information, and security measures that ensure ePHI is not altered, destroyed or improperly modified.

HIPAA Email Requirements

The Importance of Email Encryption

Failure to include the required implementation specifications under the HIPAA Security Rule will result in the entity automatically failing to comply.

However, addressable implementation specifications, such as the encryption of ePHI, provide some flexibility: The covered entity can first assess whether the implementation specification is a reasonable and appropriate safeguard and then choose to either implement the specification or document the rationale supporting the decision not to do so.

Addressable implementation specifications are considered to be equally important as required specifications — whenever possible — covered entities should attempt to address them. Numerous email encryption platforms are now available, making it very likely that government audits will find email encryption to be a specification that can be reasonably implemented by most covered entities.

Email can be used to transmit PHI as long as the covered entity takes the proper precautions to prohibit unauthorized access. Without sufficient safeguards in place to encrypt emails and ePHI, a breach can lead to significant consequences.

Email Encryption

Consequences of Non-Compliance with HIPAA and HITECH

The penalties for non-compliance are substantial and carry both civil and criminal consequences.

Breaches in HIPAA’s PHI protocol are investigated on a case-by-case basis, and the fines and penalties are assessed based on the nature and severity of the offense. Unintentional violations carry penalties up to $50,000, while uncorrected violations that occur due to willful neglect carry a maximum penalty of $1.5 million per year.

While covered entities are primarily the ones held at fault for failure to adhere to HIPAA’s requirements, healthcare providers, employees or any individual conspiring to willfully violate HIPAA can be subject to criminal penalties that include up to 10 years of incarceration. While many covered entities purchase insurance policies that protect against the willful misconduct of employees, as well as errors and omissions, individuals must be properly trained on HIPAA’s requirements and the policies and procedures that ensure compliance. 

In addition to the criminal and civil fines and penalties, the effects that a data breach may have on the covered entity’s reputation is often more damaging. Following the discovery of a breach of unsecured PHI, covered entities must provide notice to the affected individual that his or her PHI has been made vulnerable and briefly describe steps taken to mitigate harm and prevent further breaches of PHI.

In the event 500 or more residents of a state or specific jurisdiction are impacted, the covered entity is also required to provide notice to media outlets that the breach has occurred. This can result in a significant public relations problem. Finally, notice of the breach must be sent to the Secretary of HHS, which can lead to future audits or investigations.

With the threat of such substantial penalties and the harm that can be done to a covered entity’s reputation in the event of a data breach, many CE's are seeking comprehensive technology solutions to resist malicious attacks against their information and email systems.

Penalties

Mail Protection: An Email Platform That Helps With HIPAA Compliance

NSCS.biz has tools for comprehensive threat protection as well as email encryption solutions. These secure, cloud-based solution assists  ensuring HIPAA compliance through the following features:

  • Comprehensive threat protection.  Mail Protection stops malware attacks and keeps emails and ePHI from unauthorized users. Four virus engines block even the most dedicated hackers, while zero-hour pattern-based detection identifies and avoids new threats.
  • Superior archiving. This feature establishes a chain of custody and retrieves important messages when necessary.  Mail Protection indexes messages automatically and tags dates for easy searching. Every move made on the Mail Protection system is logged to show who accessed the archive and when.
  • Powerful security. Mail Protection stores messages in multiple secure data centers scattered across the globe. Archives are encrypted, and Mail Protection compresses records so they cannot be tampered with or altered in any way.

This is all in addition to 24/7 email continuity, top-of-the-line spam protection, security for third-party services and unlimited cloud storage.

----------


Sources:


HHS: http://www.hhs.gov/hipaa/for-professionals/breach-notification/
HHS: http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
HHS: http://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html
American Medical Association: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page?