The Health Insurance Portability & Accountability Act (HIPAA) is a standard and framework designed to secure Protected Health Information (PHI). The standard calls for implementing measures that secure the data that is stored and in transit as well. So, when we talk about the ePHI data in transit which is sent via an email they need to be secured. For this, it requires organizations to implement security measures such as encryption of emails.
This technique not only secures the ePHI data but also ensures HIPAA Compliance. Although the regulation does not mandate the email encryption requirement, it is seen as a good practice and often recommended to protect the data and prevent data breaches. So, covering this in detail, the article today explains the email encryption requirement and how the technique can help achieve and maintain HIPAA Compliance.
What is Email Encryption?
Email encryption is a process of encoding the data in the email and rendering it only readable for those having the decoding keys. The algorithm encrypts the email (data/text) sent to the recipient which can only be decrypted with a password known as a “cryptographic key”. The decryption changes the encrypted ciphertext back to its original plain text format that can be readable by the recipient.
Emails should be encrypted end-to-end to ensure they are secure and HIPAA compliant. This way no unauthorized person can read the data while at rest or even during transit. Further, even if an unauthorized individual or hacker has access to the mail, they won’t be in a position to decrypt the data and read the mail.
While this technique of encryption cannot prevent the hacker from accessing the email. But they definitely are in a position to prevent them from reading sensitive data and preventing a data breach. For this, the organization must implement robust endpoint security using other security measures and techniques along with email encryption.
Why is Email Encryption Important?
Healthcare Industry deals with a lot of sensitive personal data of patients on a day-to-day basis. For these reasons adopting the correct encryption technique is essential, especially email encryption. Given below are some reasons why we believe email encryption is essential.
Secures e-PHI data
Encryption in general is seen as an effective technique for protecting the data at rest or in transit. So, since it is the responsibility of the healthcare organization to secure PHI data, the organization must implement encryption measures to protect the confidentiality and integrity of ePHI Data. Knowing how sensitive the data is, implementing such stringent measures of security helps mitigate the risk of unauthorized access and data breach.
Ensures Compliance
HIPAA outlines the need for encryption and securing ePHI Data and meeting the requirements of the HIPAA Framework. Implementing encryption will help organizations secure sensitive PHI and ePHI data against unauthorized access and breach. The technique will keep the data safe and secure and ensure compliance with the HIPAA framework. The requirement of encryption is a part of the HIPAA Security Rule. While the security measure is not a mandate, but implementing the same is seen as a best practice that ensures security and compliance with the HIPAA framework. So, by extending the implementation of encryption on all emails containing ePHI, you can secure sensitive data and also achieve compliance.
Ensure Privacy of Data
Encryption of email focuses on maintaining the privacy and integrity of the sensitive ePHI data attached to the mail. Adopting encryption protects the information from being viewed by unauthorized individuals. This way organizations can maintain the privacy of ePHI data and also achieve compliance with the HIPAA requirements.
Save Costs
Email encryption services can save a lot of money for the organization. However, that again depends on how the email encryption service is set up. So, in case the organization has adopted an email service with encryption integrated into the server, the need for segregation and purchase of another server for encryption purposes gets addressed. This saves money for setting up another server. Further, the technique of encryption ensures that the email sent with the sensitive ePHI data is secure. This reduces the possibility of a data breach that can result in heavy financial loss and penalties.
Secure Outsourced Email Service
Most healthcare organizations outsource their email services to a third party or a Business Associate. So, here the outsourced email services may involve mail containing
ePHI data that needs to be secured. So, with encryption of email, the need to ensure that the Business Associate maintains HIPAA compliance gets automatically addressed. This way maintaining the security standard of ePHI data in transit and rest is addressed appropriately.
Safeguards Reputation
Unauthorized access to ePHI data via email can also result in a data breach. Such incidents of a data breach which involves lost or stolen ePHI data can severely impact the reputation of an organization. The incidents will not just attract financial penalties but also result in loss of reputation and brand image. Patients expect healthcare organization to safeguard their data when they entrust their personal data. So, in case of a data breach, they will no longer believe in the organization’s capability of securing data and lose trust in the organization.
What does HIPAA say about protecting ePHI in an Email?
When we talk about HIPAA Compliant emails, it simply means that the Health and Human Services (HHS) requires healthcare organizations to implement necessary security measures for Protected Health Information (PHI/ePHI), and not just personal information. This also means the PHI/ePHI which is transmitted by electronic media or stored in any electronic medium or transmitted or stored in any other format, needs to be protected. So, PHI or ePHI data in transit or at rest are required to be protected as per the required HIPAA Privacy and Security Rules, as mandated and enforced by the federal government.
While HIPAA Privacy Rule sets standards for protecting the rights of patients, the Covered Entities are expected to follow the mandate of HIPAA requirements to safeguard individual’s right to privacy and confidentiality of their health information. Further expanding the Privacy Rules, HIPAA also mandates the implementation of the Security Rule to cover electronic PHI (ePHI). This is to ensure that the sensitive PHI/ePHI is protected from being “lost” or accessed by unauthorized users.
The Privacy and Security Rules focus on securing PHI/ePHI data in rest or at transit and the Covered Entities and their Business Associates are required to implement the necessary and appropriate means to secure the data. For this, the regulations specifically call for the implementation of organizational and administrative requirements along with technical and physical safeguards as in the Security Rule.
However, it is important to note that HIPAA Security Rule does not specify the adoption of any specific technology for meeting the Security Rule in particular. The HHS has kept the HIPAA Security Requirement open to interpretation. This is done keeping in mind the evolving technology and threat landscape. HIPAA allows for scalability and flexibility in implementation, especially in accordance with the organization’s approach to protecting data. Covered entities and their Business Associates are expected to adopt certain measures to safeguard PHI/ePHI from any “reasonably anticipated” risks or threats.
For these reasons, HIPAA uses the required and addressable term in the Security Rule. Required means complying with the given standard is mandatory and, therefore, implementation of the requirement is a mandate. On the other hand, Addressable means that the given standards must be implemented unless the assessment and risk analysis concludes that such implementation is not reasonable and appropriate with the specification of the given business setup. That said, it is also important to note that Addressable does not indicate or mean optional.
Source: HHS
HIPAA Email Encryption Requirement
HIPAA regulation does not necessarily restrict sending ePHI data over an open network or an email as long as the data is appropriately secured as per the HIPAA Security and Privacy Rule. As mentioned earlier HIPAA Security Rule does not specify adopting any specific technology for securing the ePHI data. This means HIPAA does not mandate the need for email encryption. Email encryption is an “addressable” implementation under the HIPAA Security Rule and not a “required” implementation. Yet adopting the technique of encryption for email is seen as an implementation of best practices.
In general, the security risks for email includes unauthorized access to emails, delivery of emails to unauthorized recipients, and unauthorized access to ePHI data when in rest. Such risks can be countered or prevented with the implementation of Email Encryption.
The regulation mandates that healthcare entities and their business associates perform a comprehensive risk analysis to determine the best solution for your organization to protect its ePHI data in emails. Based on the email services, and technologies utilized for electronic transmission of ePHI data, the Technical Safeguards under the HIPAA Security Rule must be accordingly met.
While the Addressable specifications include encryption, Covered Entities must also assess the organizational risks to determine whether encryption also addresses the integrity controls to ensure electronically-transmitted ePHI does not allow unauthorized modification or compromise of ePHI data in transit. That said, it is also important to note and understand that encryption of ePHI at rest is also Addressable and not a Requirement under HIPAA regulations. However, HIPAA has placed great emphasis on the technique of encryption for protecting PHI & ePHI data at rest and in transit considering the high level of vulnerabilities and risk exposure.
Ultimately, as per the HHS, Covered Entities and their Business Associates can either consider implementing the specified standard or develop and implement an effective security measure to meet the purpose of the stated standard; or in case the specification is not reasonable and appropriate for the organization but the standard can still be met, then avoid implementing the measure. But alternatively reasonable and appropriate technical safeguards relevant to the organization’s environment must be accordingly implemented.
Source: HHS
Final Thought
Covered Entities and Business Associates under HIPAA are responsible for protecting the PHI & PII data of patients. So, the duty of securing the data and ensuring the integrity and confidentiality of PHI & ePHI data when at rest or in transit lies on the Covered Entities and Business Associates. Although this may seem to be a daunting task for both parties, implementing encryption seems to be a valid and effective measure for the protection of the data. The technique of email encryption can help both parties overcome this challenge and prevent the possibility of ePHI data from falling into the wrong hands. Moreover, it can also help secure the organization's reputation and secure the data against the threats of a data breach through risks of social engineering, and ransomware.