Since modifications to the Health Insurance Portability and Accountability Act (HIPAA) were passed in 2013, HIPAA compliance for email has been a fiercely disputed subject.
The language of the HIPAA Security Rule, which introduces a number of conditions before email communications can be regarded to be HIPAA compliant, although it does not outright forbid the use of email to communicate PHI, is particularly pertinent.
Access controls, audit controls, integrity controls, ID authentication, and transmission security must be implemented by covered entities in accordance with HIPAA email standards in order to:
- Limit who has access to PHI.
- Keep an eye on the way PHI is shared.
- Ensure the security of PHI when it is at rest.
- Assure complete message accountability.
- Prevent unauthorized access to PHI while it is in transit.
Some HIPAA covered companies have argued that email encryption is enough to guarantee HIPAA compliance. HIPAA email regulations, though, go beyond encryption.
The audit control requirement to monitor PHI communication and the ID authentication requirement to assure message accountability cannot be met by encryption alone.
In addition, it can be difficult to address some necessary tasks, such making an audit trail and avoiding improper PHI change.
Therefore, even if emails can be HIPAA compliant, doing so necessitates substantial IT resources and ongoing monitoring to guarantee that authorized users are transmitting PHI in accordance with the guidelines for HIPAA compliance for email.
HIPAA Email Encryption Requirements
If emails contain ePHI and are sent outside of a secure internal email network, past the firewall, they must be secured in transit according to HIPAA email regulations.
As was already noted, encryption is only one component of HIPAA compliance for email, but it will guarantee that, should a communication be intercepted, its contents cannot be read, avoiding an unauthorized disclosure of ePHI.
In the HIPAA Security Rule for data at rest and HIPAA compliance for email, encryption is a standard that can be addressed. Therefore, encryption cannot be disregarded even when it is not “needed.” If encryption is decided against, covered entities must install a substitute, equivalent security measure.
A covered entity must assess the level of risk and decide if encryption is necessary. To ascertain the threat to the confidentiality, integrity, and availability of ePHI communicated over email, a risk analysis must be carried out.
The risk must then be reduced to an adequate and acceptable level via a risk management strategy, which must be achieved by encryption or another alternative technique.
Documentation of the choice is also required. OCR will want to know whether encryption was considered, why it wasn’t used, and whether the substitute security measure chosen in its place provides an equivalent degree of security.