Make no bones about it: encryption is absolutely necessary for HIPAA compliance. If you’re a covered entity under HIPAA, meaning that you’re a healthcare provider, hospital, insurance provider or healthcare clearinghouse, you need to encrypt your patients’ protected health information (PHI) not only to protect your patients’ privacy, but also to protect yourself and your practice from hefty fines. Data encryption, email encryption and HIPAA compliance are absolutely necessary to keep your business systems, your patients and your practice healthy and strong.
A HIPAA violation isn’t just a hit to your bottom line, though — it’s also a hit to your reputation. Patients don’t want to leave their most sensitive information with a provider who can’t guarantee it won’t leak to unintended recipients, whether unwitting strangers or cybercriminals. Consistent use of encryption, from encrypted devices and servers to encrypted email, is an important way to avoid HIPAA violations and the resulting bad PR, as these three case studies illustrate.
But before we dive into how a lack of data and email encryption affected these three organizations, let’s take a look at what’s at stake if you don’t encrypt.
What Constitutes a HIPAA Violation?
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules require covered entities to meet a number of conditions to stay compliant. These conditions can be broken into three basic categories: administrative safeguards, physical safeguards and technical safeguards.
Administrative Safeguards – The Three Ps of HIPAA Compliance
Administrative safeguards ensure that your organization is protecting patient privacy from the standpoint of the three Ps: processes, policies and personnel. That means providing adequate background checks, training and knowledge sharing, policies and documentation so that everyone in the organization knows what they have to do to protect PHI. Employees should only have access to sensitive data if and when it’s absolutely necessary to their work function, and your organization should create, practice and revise contingency plans that address what to do if and/or when there is a leak of PHI.
Physical Safeguards – Locking Down Your Devices and Facilities
Physical safeguards ensure that your actual physical facilities and devices are protected. HIPAA physical safeguards include surveillance cameras in your data center for facility monitoring, as well as strong access controls not only for your servers but also for company laptops, physical storage media and other PHI-carrying devices. Physical safeguards also include adequately destroying data that no longer needs to be stored.
Technical Safeguards – Authentication, Data Encryption, Email Encryption and HIPAA
Technical safeguards are, as the name implies, the technological standards that keep PHI private. This includes the use of multi-factor authentication for user access, automatic logoff and the use of strong encryption. This is why data and email encryption and HIPAA compliance are inextricably linked: without protecting PHI that is either stored on servers and other media or transmitted via email, you’re out of compliance.
A breach of any of these three types of HIPAA safeguards results in a violation. But how much, exactly, will that violation cost you?
The Consequences of HIPAA Violations
It pays to stay compliant. The maximum penalty for a single HIPAA violation is $250,000 — and that’s just one violation involving one patient. If an entire server containing the PHI of multiple patients has been compromised, you’re looking at $1.5 million in maximum annual penalties.
Of course, we’re especially interested in how email encryption and HIPAA compliance are related. The largest HIPAA penalties go to businesses that demonstrate “willful neglect” and have repeat violations, so let’s assume that this is your first run-in with non-compliance. If a single physician sees five patients in a day, sends a follow-up email to each, and isn’t aware that the email he or she is using is unencrypted and non-compliant, that’s a penalty of $100 to $50,000 per email, or $500 – $250,000 total. For a small practice, the latter sum can be staggering.
Now let’s say your practice isn’t aware of the importance of email encryption and HIPAA compliance, and sends that much unencrypted email over a month. Now, you’re talking about potential fines of $10,000 to the annual maximum of $1.5 million for a practice that operates five days a week and sends follow-up emails to each patient.
Given how fast HIPAA penalties can balloon, data encryption, email encryption and HIPAA related privacy and security technology are some of the most important investments your organization can make. Let’s take a look at a few businesses that learned that lesson the hard way.
What the Sony Pictures Hack Has to Do with Email Encryption and HIPAA
While Sony Pictures isn’t a covered entity under HIPAA, it’s a perfect example of how using email encryption and HIPAA privacy protections are important even to businesses you wouldn’t think of as handling medical information or documentation. Any human resources professional has probably dealt with countless instances of private health information, especially through their interactions with employee healthcare providers.
In December 2014, after word had already broken out about the massive Sony Pictures data breach, Sony added insult to injury by sending out a breach notification email to their employees, admitting that among the leaked data was sensitive HIPAA information. This data, leaked through over 30,000 HR emails and documents, not only included PHI but also personally identifiable information (PII) like addresses, birthdays, social security numbers and phone numbers.
Due to the Sony hack, medical information of many Sony employees (including some celebrities), as well as their spouses and children, is openly accessible via the Internet, where it is notoriously difficult to expunge data. The leaked medical data spans multiple health conditions including cancer, kidney failure and cirrhosis, as well as denied insurance claims. The breach didn’t just expose sensitive health data, but also revealed how careless Sony’s HR department was with discussing and transmitting employee PHI and PII over email — piling on top of Sony’s already giant PR nightmare.
How Could Email Encryption and HIPAA Awareness Have Prevented This?
Had Sony Pictures used an client-side email encryption service like Virtru, the chances that so much PHI and PII would have been leaked not only to cybercriminals, but also to the general public, would have been much smaller. With client-side email encryption, only the intended recipient can access the decrypted email messages and attachments, because only the intended recipient can verify his or her identity and unscramble the data using the encryption key. To hackers who have stolen their way into the Sony email servers, those HR email messages would have been virtually unreadable, and therefore unleakable.
Also, most state breach notification laws, as well as the HIPAA Breach Notification Rule, require organizations to notify all affected parties of a breach of “unsecured” data, where “unsecured” means “unencrypted.” Of course, it’s still best practice to notify users of a breach, but you can also ensure them that the data is encrypted, so it’s protected even if it lands somewhere it shouldn’t be.
For HIPAA Compliance, Encrypt Your Laptops, Too
While email encryption and HIPAA compliance go hand in hand, don’t stop at encrypting your inbox. As the Hospice of North Idaho (HONI) learned in 2010, a stolen laptop will cost a covered entity far more than the price of the device, if the laptop isn’t encrypted.
After HONI reported the laptop theft to the US Department of Health and Human Services (HHS), the agency that oversees and enforces HIPAA protections, the HHS Office for Civil Rights (OCR) began investigating the matter to see what, if any, PHI had been exposed. Because the laptop was unencrypted, the data it contained was available for the thief and anyone else with access to the device to see. The OCR determined that over 400 HONI patients had had their PHI exposed via the unencrypted laptop theft, and that the breach could have been prevented had HONI implemented adequate mobile device policies.
In the end, HONI had to pay $50,000 in HIPAA violation fees, and also had to demonstrate that they were taking steps toward remediating their compliance issues. We’re willing to bet that since their HIPAA breach settlement, none of the laptops and other devices used by HONI personnel are unencrypted.
An Exposed Database Leads to $1.7 Million in HIPAA Fines
At this point, it should be clear that anything in your organization that contains PHI should be encrypted, from email to laptops to servers. More stringent encryption practices might have spared WellPoint Inc., a managed care firm, from over seven figures in HIPAA violation fines, and might have saved the privacy of over 600,000 affected patients.
The HIPAA violation came in the form of a security flaw in an online application database, which exposed the PHI of hundreds of thousands of patients to unauthorized Internet users. That data included not only sensitive health information, but also PII like social security numbers and home addresses. The OCR found that WellPoint had been lacking in its administrative and technical safeguards, imposing a $1.7 million dollar settlement on WellPoint.
WellPoint’s HIPAA violation was, for the most part, a matter of access: unauthorized individuals were able to read data that wasn’t intended for their access. While strict access policies and multi-factor authentication would be two important steps toward remediation of this scenario, encryption would be another important step. By encrypting the data in that database, any individuals gaining unauthorized access — whether unknowing employees or cybercriminals — would not be able to read the data unless they also had the encryption key.
Virtru Pro: Bringing Convenience to HIPAA Encryption
Whether you’re a covered entity subject to regular HIPAA compliance audits or simply a business that deals with PHI or PII, client-side email HIPAA encryption is crucial to protecting your patients’, employees’ and client’s privacy.
If you want to avoid becoming another HIPAA violation case study, try Virtru Pro. Virtru Pro’s client-side email encryption service is simpler to use than the portal systems you typically find in hospitals and healthcare practices, as Virtru works seamlessly with major email providers like Gmail.