At the start of the Phase 2 HIPAA Audits, the Office of Civil Rights (OCR) launched a major string of enforcement actions. In addition to imposing the largest HIPAA settlement to date ($5.55 million), they levied their first business associate penalty — a $650,000 fine for a breach that affected a mere 412 patients. The message is clear: the OCR is upping scrutiny (and penalties) across the board, and everyone needs to keep their electronic files and messages secure. Here’s what you need to know about HIPAA, email compliance and the importance of using a HIPAA compliant email service .
Business Associates and the HIPAA Privacy Rules
Most organizations that work with Protected Health Information (PHI) are covered entities under the HIPAA Privacy Rule. This includes businesses that provide “legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.” If you’re a non-medical organization, but process, store or work with identifying data (e.g. name, birthdate, credit card number) connected with health care services, you’re probably a business associate.
Business associates are subject to the same HIPAA compliance rules (and noncompliance penalties) as medical organizations. You should have already signed a Business Associate Agreement (BAA) with any client whose data you use, governing your obligations under HIPAA. But even more importantly, you need to ensure you have controls and procedures in place to protect PII from accidental disclosure.
HIPAA and Email Encryption
HIPAA goes to great lengths to make requirements technology-neutral. Encryption is considered addressable under the HIPAA security rule. Organizations must implement it “if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard to protect the confidentiality, integrity and availability” of electronic Protected Health Information (ePHI). Otherwise, they must implement an “equivalent alternative measure.”
In practice, however, encryption is always the most reasonable and appropriate way to safeguard ePHI under HIPAA, and email encryption is particularly crucial. Any time you send an unencrypted email to a client or coworker, there’s a risk that it could be intercepted by a third party. Portals offer encryption, but adoption is very low. Even organizations that use them tend to do most of their communication by email, leaving a lot of data unprotected.
Virtru offers a HIPAA compliant email service that makes it easy to comply and email confidential data without the risk of third-party interception. It works with your existing email account, giving you the power to encrypt messages and attachments with a single click.
It also lets you communicate securely with anyone — recipients with Virtru can read a message just by clicking it in their inbox. Recipients without it can click through to our Secure Reader, allowing them to send their own encrypted replies and attachments. That means you won’t have to breach HIPAA and email compliance rules just because a partner or client uses a different portal.
Don’t Be Anyone’s HIPAA Enforcement Example
Right now, HIPAA enforcement actions are relatively rare, but the frequency and size of penalties are growing. Protecting your organization with a HIPAA compliant email service can decrease the risks of damaging breaches and costly fines.
Learn more about HIPAA and email security with our free guide to HIPAA Compliance in the Cloud.