echo ''

Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

HR, HIPAA and Email: Requirements for Employee Health Data

September 6, 2016

The days when only the medical industry had to worry about HIPAA compliance are over. With the Phase 2 HIPAA audits underway, the Office of Civil Rights (OCR) has made it clear that any industry or department that stores or processes healthcare data is on the hook — including HR. Failing to adequately protect employee information can lead to big fines under HIPAA, and email compliance is particularly tricky. Here’s what you need to know:

Identifying HIPAA Data

Most people think HIPAA just protects medical information, but it’s actually much broader than that. Protected Health Information under HIPAA (PHI) includes any identifying information. A worker’s name, address or the date of their last doctor’s appointment are all considered HIPAA PHI.

Context matters here. HR obviously won’t get in trouble for sharing a worker’s name while emailing with a manager to discuss their promotion. But when those conversations touch on medical topics they’re covered by HIPAA, and email policies need to be in place to govern those conversations.

Creating HIPAA Email Policies

Any information about an employee’s health or medical history should be restricted on a need-to-know basis. In most cases, HR HIPAA and email policies should prohibit employees from sharing Personally Identifiable Information like social security numbers, as well as medical information like a diagnosis or medication lists in the body of an email, and medical records should not be attached or shared outside the department.

When information does need to be shared over email, only the minimum necessary should be shared. For example, a supervisor may need to know that a worker has been injured, but generally won’t (and shouldn’t) be told the details of the injury or diagnosis.

Anyone who does receive medical data is under the scope of HIPAA, and email compliance policies apply to them, too. You should train members of other departments accordingly, and sign a HIPAA Business Associate Agreement with any client you share PHI with.

HIPAA and Email Encryption

When data is sent across the Internet, it’s potentially vulnerable. Encryption should be used to protect any electronic data that falls under the scope of HIPAA, and email encryption is particularly important.

When you encrypt an email, it’s scrambled using a secret code called the key. Only those who have the key can decrypt and read the data. Your recipient will be able to read your encrypted email and download attachments as they normally would, but a third party who intercepts it in transit will only see undecipherable, random characters.

Unfortunately, most email encryption providers require both the sender and the receiver to use the same app. This makes it hard to send encrypted messages, since you first have to convince your recipient to install, configure and learn the email encryption. The best secure email service for HR HIPAA compliance should be secure and easy to use, and shouldn’t require the recipient to install anything.

HIPAA and Email Resources

HIPAA compliance requires a combination of good policies, good technology and good training. Here are some resources to help you get up to speed on HIPAA and email compliance:

Secure Client Portals: An Idea Whose Time Has Come (and Gone!)
3 Email Security Tips for HIPAA Compliance
HIPAA Compliance Checklist for the Cloud Era
Is it a HIPAA Breach Notification or a Close Call?
Enforcing HIPAA Email Rules Just Got Easier