What is HIPAA?
The U.S. Department of Health & Human Services established the Health Insurance Portability and Accountability Act, HIPAA, in 1996. The main aim of this act was to ensure the protection of a patient's healthcare information from public access.
The healthcare information of a patient is sensitive, and thus, it becomes necessary not to let it go in the wrong hands. Private details such as the patient's medical history, his/her family's medical history or, the financial information, including someone's bank or credit card data, makes it all the more crucial to secure it.
The mandatory compliance of HIPAA helps in preventing the misuse of this information. Furthermore, changes have been made into the HIPAA since the law was first made.
Objectives of HIPAA
The critical goals and objectives around which HIPAA revolves are as follows:
- Privacy of health information
- Security of electronic records
- Administrative simplification
- Insurance portability.
Entities affected by HIPAA
The entities that transmit health information to make particular transactions for which the U.S. Department of Health and Human Services has adopted standards come under the scope of this act. These transactions may be of the healthcare claims, advice regarding payment and remittance, healthcare status, coordination of benefits, enrollment, and disenrollment, eligibility checks, transfers of electronic healthcare funds, or referral certification and authorization.
The HIPAA Privacy and Security Rules
The Privacy Rule:
According to this, appropriate safeguards should be there to protect the privacy of personal health information. It sets limits and conditions on the further uses and disclosures of such information without the patient's authorization.
The Security Rule:
According to this, appropriate administrative, physical, and technical safeguards should be adopted to ensure the confidentiality, integrity, and security of the electronically protected health information of the patients.
The covered entities and business associates dealing with this protected health information (PHI) must comply with these rules.
What is HIPAA compliant email?
With users sending over 205 billion emails every day, it is crucial to ensure the security of emails.
A HIPAA compliant email is the email which ensures that any email with protected health information is delivered securely to the recipient's inbox. An entity abiding by the Privacy Rule and the Security Rule is said to be HIPAA compliant.
However, the usual email providers of Google and Yahoo aren't usually HIPAA compliant. They require specific configuration.
Therefore, most of the entities refer to a third party, precisely a HIPAA compliant email provider, to work as per the HIPAA standards.
A HIPAA compliant email must be encrypted. The encryption makes the data unreadable during the transmission and at rest.
As per the HIPAA email rules, the messages in transit containing the ePHI have to meet the encryption requirements. It helps in securing the emails that users are sending outside a protected internal email network going beyond the firewall.
Emails having PHI shouldn't be sent unless they are encrypted with a third-party program or with 3DES, AES, or similar algorithms. If the PHI is in the form of text, the message must be encrypted. Otherwise, the attachment having the PHI can be encrypted.
Though encryption is merely an element of HIPAA email compliance, however, it is essential. During the interception of a message, the encryption makes the content unreadable and, thus, more secure by preventing any impermissible disclosure of ePHI.
The HIPAA Security Rule has made it an addressable requirement to encrypt the email at rest. Therefore, the covered entities must employ encryption otherwise, implement alternatives to safeguard the PHI data in transit and also, the data at rest.
A covered entity may go for a risk analysis to understand the level of risk involved and decide whether encryption will be required, and some other alternative will work. The OCR requires complete documents explaining why the encryption has not been chosen and also, how safe is it to use the other option.
An entity can choose any appropriate method of encryption, but it should be on par with the latest technological advances.
HIPAA-covered entities can ensure better security by obtaining the up to date encryption guidance from the National Institute of Standards and Technology, which recommends the use of Advanced Encryption Standard 128, 192, or 256-bit encryption at the time of writing.
They tend to change from time to time, so one needs to check NIST's latest guidance before implementing email encryption.
The 'SP 800-45 Version 2' published by NIST helps organizations to secure their email communications.
How to secure emails?
An entity or business associate can secure the emails by complying with HIPAA standards. One can also use the following ways to keep the emails secure:
1. Cloud-based servers
A secure cloud-based email platform hosting a HIPAA compliant server is a good option to ensure the security of emails. However, you should connect via HTTPS with the server, so there will be an encrypted connection between you and your email server. Unfortunately, there is no guarantee of the email transmission from the cloud server to the recipient's server or workstation. It works when all the senders and recipients have accounts on the same cloud-based email service.
As previously mentioned, encryption is a non-negligible element of HIPAA.
Many email service providers encrypt the message during the transmission from your workstation to the recipient's server. The recipient gets a notification in case the particular recipient is not a client of that email service provider. After establishing a secure connection, the recipient can then retrieve the message.
3. Secure message portals
Some EMR/EHR systems provide a secure portal of messages for the patients. Here, you can store the patient's information and retrieve it as per the requirement. An email will notify whenever the recipient gets a message on the portal. The patients can simply log in and securely receive the message. If there's no such portal, then you can also avail of these portal services from other providers such as eDossea and BrightSquid.
Apart from the above, other email considerations are:
1. Passwords and 2-factor authentication
A strong password/passphrase and multi-factor authentication wherever available helps in limiting access, thereby protecting the email account.
2. Email disclaimers
While sending emails, the personnel can use email disclaimers and confidentiality notices to inform the patients, and respective recipients that the information is PHI, and they should use it accordingly.
Nevertheless, you should encrypt the emails securing them from your end. No disclaimer can alleviate the entity's responsibility to send ePHI securely.
How to find the best HIPAA compliant email provider?
There are various HIPAA compliant email providers. It's' important to keep the following points in mind during the selection of the best HIPAA compliant email provider for you:
- The HIPAA compliant email provider should have a proper and attentive customer service team. Also, the provider must be willing to sign a business associate agreement.
- The provider should provide encryption for every email, including the non-PHI emails as well.
- The encryption service needs to be good. It should be well-integrated with any device, any browser, and any email provider.
Popular HIPAA-compliant email providers
Some of the popular HIPAA-compliant email providers are
- HIPAA Vault
- Aspida Mail
- Protected Trust
You can choose any of the above as per your needs and requirements.
Advantages of using HIPAA
- It increases personal privacy in terms of healthcare information of the patients.
- It prevents discrimination.
- It secures the process of sharing protected health information.
- It streamlines different administrative healthcare functions and improves the efficiency of the whole healthcare industry.
- It ensures all the covered entities use the same code sets and nationally recognized identifiers.
- It requires the covered entities to implement multiple safeguards to protect sensitive personal and health information.
- It mandates the use of strong passwords and also that the providers should have a data backup plan in place.
- It reduces medical errors and further leads to regular auditing of the system.
According to HIPAA, it's mandatory for the covered entities and other business associates that have signed a business associate agreement with any covered entity to comply with HIPAA Rules. In case they don't, then they may have to face the consequences. HIPAA violation could result in the financial penalties ranging from the minimum of $50,000 per incident to a maximum of $1.5 million, per violation category, per year.
Multi-million-dollar fines are possible if the violation persists for more than one year or if multiple violations of HIPAA rules have been there. Certain HIPAA violations have criminal penalties.