Email is a vital tool for healthcare organizations. As with any other form of communication that includes PHI (protected health information), Health Insurance Portability and Accountability Act (HIPAA) compliance is a requirement. While HIPAA email rules cover more than just security, it’s one of the most critical aspects. To ensure your organization is compliant and PHI is secure, make sure you follow these healthcare email encryption best practices.
HIPAA Email Rules
HIPAA compliant email rules require entities to implement access, audit, and integrity controls. Additionally, these rules should include identification authentication and transmission security to fulfill HIPAA requirements of:
- Restricting PHI access
- Monitoring PHI communications
- Ensuring the integrity of PHI at rest
- Assuring accountability for all messages
- Protecting PHI from unauthorized access during transit
Healthcare email encryption is critical for the integrity of PHI at rest and in transit. So, what exactly does HIPAA say about encryption requirements?
HIPAA Email Encryption Requirements
HIPAA email requirements state that any message containing PHI sent outside your protected internal email network must be secure.
The language doesn’t explicitly state that encryption is required. Rather, email encryption is an “addressable” implementation, not a required one. Addressable means that an organization must act if a risk assessment reveals it to be necessary.
Encryption is the best approach to ensure security. Further, the HIPAA Security Rule asserts that data at rest must also be secure. With this in mind, let’s review the best practices for encryption of HIPAA emails.
To Encrypt or Not?
Organizations bound by HIPAA must make careful considerations about when to use encryption. Should they choose not to for specific situations, they must have an alternative. Encryption decisions usually align with the risk level.
Determining risk level requires an analysis of the threat to confidentiality, privacy, integrity, and accessibility. Many organizations develop a threat matrix indicating when to encrypt and include it within their risk management plan. You must document these encryption decisions. In the case of an audit, the Office for Civil Rights (OCR), the body that enforces HIPAA, will want to be privy to your considerations.
Ultimately, if in doubt, encrypt. It’s better to be safe than end up with a HIPAA violation, which could be costly.
Not All Encryption Is the Same
Email encryption isn’t just one standard. Generally speaking, email encryption alters the text of an email, so that it’s unreadable unless the receiver has the encryption key, which is a password. Further, for HIPAA emails, the encryption must be end to end, not just during transmission.
Not all encryption methods offer the same security. HIPAA doesn’t define the type of encryption, so it’s open to interpretation. What organizations can do is seek guidance from the National Institute of Standards and Technology (NIST).
The NIST currently recommends using Advanced Encryption Standard (AES) at 128-, 192-, or 256-bit encryption. The number expresses the key length used for encryption and decryption. AES 256-bit is the strongest type of encryption.
Most healthcare organizations follow AES encryption standards, but it’s something you should discuss with your IT team and email provider.
Creating Encryption Rules
Not every email your staff sends is under the rule of HIPAA. Thus, encryption isn’t a necessity every time you hit send. Rather, it’s much more convenient to have an email exchange that has pre-built HIPAA compliance rules. With HIPAA-compliant templates, you can define code sets, keywords, and polices that cover:
- Current Procedural Terminology (CPT) codes
- International Classification of Diseases (ICD) codes
- Health Care Common Procedure Coding System (HCPCS)
- National Drug Codes (NDC)
- Claims Adjustment Reason Codes and Remark Codes (CARC/RARC)
- Inpatient Fee for Service Codes (FFS)
- National Provider Identifiers (NPIs)
- Social security numbers (SSNs)
- Keywords related to PHI
Proper Staff Training Is Critical
Having a rules engine for encryption is a great practice, but another is ensuring your staff understands the security protocols for sending emails with PHI. Each staff member should undergo HIPAA training annually, and that should include email encryption. Continuously reiterate these principles.
Email Archive Security
After you send or receive an email, that’s not the end of its security journey. HIPAA requires that you keep emails for a minimum of six years. Moving them to a secure archive ensures your compliance, so when seeking out an email exchange provider, make sure you discuss archiving.
Intermedia Offers Healthcare Email Encryption
We are glad to provide email encryption services for many healthcare organizations. Our healthcare employees can communicate and remain productive while also keeping data secure and staying compliant. Learn more about our healthcare solutions today by downloading our whitepaper, How to Manage a Remote Healthcare Practice.
January 12, 2021
Explore other posts on these topics: