If you’re new to the world of HIPAA compliant email, the idea of safely sending messages and files to your patients, other health providers and business associates can seem overwhelming at first. While any professional email should be approached with mindfulness of data security and awareness of the threats to your email privacy, from hacking to phishing, businesses that deal with PHI must be extra vigilant to make sure their communications are compliant with HIPAA and HITECH. After all, a HIPAA violation is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of hundreds of thousands of dollars.
While HIPAA compliant email doesn’t need to be rocket science, the stakes facing both the medical and non-medical communities are pretty high. Consumers want more and easier access to their personal health data, but have greater demands when it comes to privacy.
At the start of the Phase 2 HIPAA Audits, the Office of Civil Rights (OCR) launched a major string of enforcement actions. In addition to imposing the largest HIPAA settlement to date ($5.55 million), they levied their first business associate penalty — a $650,000 fine for a breach that affected a mere 412 patients. The message is clear: the OCR is upping scrutiny (and penalties) across the board, and everyone needs to keep their electronic files and messages secure.
And these penalties can add up quickly because they are “per violation,” which means every single email that violates HIPAA requirement constitutes a fineable event. Penalties are broken down into four tiers:
The maximum annual fine is $1.5 million for each covered entity.
Email communications containing protected health information (PHI) need to meet certain HIPAA security standards to satisfy compliance guidelines. These standards are left purposely flexible, which in turn can lead many businesses to wonder whether they’re transmitting PHI according to HIPAA’s Security and Privacy rules. The “reasonable safeguards” for email include precautions like encrypting patient-bound email and verifying recipients’ identities prior to disclosing personal information.
Any organization that handles PHI (known as a “covered entity”), from health providers such as doctors, nurses, chiropractors, pharmacies and nursing homes to businesses that provide health plans like HMOs, company health benefits and government programs like Medicare — as well as all of their business associates — needs to ensure that their email solutions are HIPAA compliant. This includes businesses that provide “legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.” If you’re a non-medical organization, but process, store or work with identifying data (e.g. name, birthdate, credit card number) connected with health care services, you’re probably a business associate.
Business associates are subject to the same HIPAA compliance rules (and noncompliance penalties) as medical organizations. You should have already signed a Business Associate Agreement (BAA) with any client whose data you use, governing your obligations under HIPAA. But even more importantly, you need to ensure you have controls and procedures in place to protect PII from accidental disclosure.
Download this free guide and learn how data-centric security approaches can help you ensure patient privacy while maintaining HIPAA compliance.Download Now
Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it seems that the demand for greater digital access to health data is at odds with the HIPAA Privacy Rule, which demands that a patient’s past, present and future PHI be accessible only to authorized recipients. One of the goals of HITECH was to spur adoption electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. If your ophthalmologist recently asked you to sign up for an online patient portal, that’s HITECH in action.
But another HITECH provision put many covered entities on notice: where prior to HITECH, $250,000 was the maximum annual penalty for a HIPAA violation, that threshold has moved up to $1.5 million. This presents the medical community with the puzzle of how to increase digital access to data without compromising patient privacy.
The challenges facing healthcare data security, from data thieves and “hacktivists” targeting hospitals to user error and technology adoption, make HIPAA compliant email more important than ever. But what makes an email HIPAA compliant?
One of the most important steps any business handling PHI should take is enabling email encryption. Encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials (or the encryption key). In short, if a cybercriminal cracks into an email you send to a patient or insurance company, they won’t be able to use that data unless they also get ahold of your encryption key.
HIPAA goes to great lengths to make requirements technology-neutral. Encryption is considered addressable under the HIPAA security rule. Organizations must implement it “if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard to protect the confidentiality, integrity and availability” of electronic Protected Health Information (ePHI). Otherwise, they must implement an “equivalent alternative measure.”
While HIPAA email rules don’t directly require encryption at all times (inter-agency emails, for instance, don’t have mandatory encryption rules), encrypted email by nature fulfills all requirements of HIPAA: sender and recipient are both verified, PHI is protected coming and going and the extra effort taken by all parties involved constitutes a reasonable safeguard.
There are a few options when it comes to email encryption. Many hospitals, healthcare providers and insurance companies deploy portal solutions that use Transport Layer Security (TLS) to encrypt messages. In these scenarios, patients and other providers establish and maintain a separate account for a portal where they can exchange sensitive information. While these solutions do provide for HIPAA compliance, their user experience tends to be clunky and frustrating. At one time or another we’ve all forgotten our username or password and been locked out of our health or financial data.
At the end of the day, employees prefer to use the applications they’re used to — including their email service providers. Newer email encryption solutions are able to integrate with the email service you’re already using—like Gmail and Outlook—to provide a seamless, easy-to-use user experience with powerful client-side encryption.
But before deciding on which email service provider to use to meet HIPAA compliance, it’s first important to understand the pitfalls of said email providers’ native security features.
Gmail is not innately HIPAA compliant, at least in the way that most businesses use the service. Like the vast majority of email services, Gmail does not encrypt emails by default. Protecting sensitive data communication falls to you, the user.
Google specifically states that individual users are responsible for determining whether their business needs to maintain HIPAA compliance, and adds that any customers who have not entered into a BAA shouldn’t share PHI via any Google services.
However, Google can support HIPAA compliance for those Google App customers who are willing to sign a HIPAA Business Associate Agreement (BAA) with Google. The BAA ensures certain measures to protect data stored on Google’s servers, but it does not come with email encryption built in. For that, you would need to purchase a separate email encryption service such as Google Apps Message Encryption (GAME), at additional cost.
While GAME helps ensure HIPAA compliance, it does so at the expense of user experience. To access an encrypted message, the recipient must sign in to an online portal. This carries the same frustrations as any web-based email portal solution: it takes added time and clicks just to read each email, users must remember an additional login and password, and secure emails are accessed separately from their normal email.
Microsoft considers Outlook a consumer service, and does not endorse it for compliance regimes like HIPAA. There are a lot of versions of MS Outlook and none of them are HIPAA compliant on their own.
Microsoft Office 365 and its components like Microsoft Exchange Online are HIPAA compliant, and Microsoft will sign BAAs with covered entities using these products. Microsoft Exchange uses TLS — a type of point-to-point encryption commonly used in email, and other secure connections (See the “https” in the beginning of this blog’s address? That means this page is protected by TLS).
However, although Exchange Online is a HIPAA compliant email service, it isn’t safe enough by itself. TLS depends on the servers it travels through to work. If your email recipient doesn’t support TLS, or your message goes through a broken, hacked, or poorly configured server, an attacker can gain access to it, potentially breaching PHI.
Virtru offers a HIPAA compliant email service that makes it easy to comply and email confidential data without the risk of third-party interception. It works with your existing email account, giving you the power to encrypt messages and attachments with a single click.
It also lets you communicate securely with anyone — recipients with Virtru can read a message just by clicking it in their inbox. Recipients without it can click through to our Secure Reader, allowing them to send their own encrypted replies and attachments. That means you won’t have to breach HIPAA and email compliance rules just because a partner or client uses a different portal.
Right now, HIPAA enforcement actions are relatively rare, but the frequency and size of penalties are growing. Protecting your organization with a HIPAA compliant email service can decrease the risks of damaging breaches and costly fines.
Learn more about HIPAA and email security with our free guide to HIPAA Compliance in the Cloud.
As Virtru's SVP of Strategy and Field CPO, Rob advocates safeguarding data across emerging applications and sharing workflows. With deep expertise as a healthcare CIO and security consultant, he helps organizations mitigate technical and human risk. Rob has a Computer Science degree and is a lifelong technology and security student.View more posts by Rob McDonald
Contact us to learn more about our partnership opportunities.