Email Security for HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for protecting sensitive electronic Protected Health Information (ePHI). All healthcare organizations (also known as covered entities) and their business associates must comply with HIPAA.
The HIPAA Privacy Rule allows healthcare providers to communicate with patients via email, provided they apply reasonable security safeguards while doing so. Basically, the U.S. Department of Health & Human Services (HHS) that administers HIPAA says that ePHI can be sent via email, as long as it is done securely.
And herein lies the rub.
Securing emails containing ePHI can be tricky because the sender must implement several security measures to ensure HIPAA compliance. Moreover, HIPAA compliance does not necessarily equal email security, which also causes some confusion.
HIPAA Security Rule and Email Security
The HIPAA Security Rule specifies many requirements that must be satisfied before email communications can be considered HIPAA-compliant. For example, covered entities must implement access controls, audit controls, and integrity controls to monitor how PHI is communicated via email, ensure full message accountability, and protect PHI from unauthorized access during transit.
Transmission security is an important factor when it comes to which email systems healthcare professionals can use. In general, free email services are not secure for the transmission of ePHI via email. However, senders can still use such services after obtaining a Business Associate Agreement (BAA). The BAA outlines the responsibilities of the email service provider and the safeguards they have implemented to ensure the confidentiality, integrity, and availability of ePHI. But even with a BAA, the sender is still responsible for protecting any ePHI they may send via email. If a business associate is a sender, then according to HIPAA Omnibus Rule, the covered entity is responsible for ensuring that the latter protects ePHI. If a HIPAA violation is found, both parties will be fined.
Once the email reaches the recipient, the sender’s obligation ends and the recipient becomes responsible for securing any PHI in their email inbox.
Using Encryption to Secure Email and Protect ePHI
In the HIPAA Security Rule, encryption is considered an “addressable” standard for data at rest and HIPAA compliance for email, so strictly speaking encryption is not “required”. However, encryption is one of the strongest ways to protect ePHI in an email, so covered entities must definitely consider it to ensure that even if an unauthorized party can intercept a message, they won’t be able to read it. They can thus prevent impermissible ePHI disclosure to protect their patients’ information and their own organizations.
Why HIPAA-compliant Organizations Struggle With Email Security
Every healthcare organization strives to achieve HIPAA compliance. However, HIPAA compliance does not equal email security.
An insecure email may lead to a breach of ePHI. This ePHI is extremely valuable on the dark web, with a single healthcare record selling for as much as $250 – $1000 each. Such violations come with hefty financial punishments, ranging from $100 – $50,000 for violations that “could not have been avoided with reasonable care”, to $50,000 – $1,500,000 ($1.5 million) for violations resulting from uncorrected willful neglect of HIPAA guidelines.
The cyber threat landscape is constantly expanding, and healthcare organizations are particularly vulnerable to threats such as malware, ransomware, phishing, and DDoS attacks. In fact, at $7.13 million per incident, healthcare organizations incur the highest average security breach cost of any industry. Human error is another common threat in healthcare, accounting for almost 30% of healthcare breaches in 2020.
All these threats – both internal and external – undermine data security and jeopardize ePHI, regardless of the best efforts of providers to remain HIPAA compliant. One reason is that HIPAA does not specify how providers should secure PHI in email. Nonetheless, providers can strengthen their email security posture by leveraging the guidance of industry-standard frameworks like HITRUST CSF, ISO, and SOC2, and by following the strategies outlined below.
How To Improve Email Security For HIPAA Compliance
In 2020, 505 HIPAA breaches were reported to the HHS, up from 418 in 2019. Of these, 37% occurred via email – the #1 threat vector during the year. To prevent ePHI from being compromised via email, providers can take several precautions.
One, encrypt all emails. Encryption is one of the strongest and most reliable ways to protect ePHI and prevent it from being stolen by malicious actors.
Another strategy is to use secure messaging apps and a HITRUST CSF-certified email security provider. A HITRUST CSF certification is the gold standard for HIPAA-compliant email vendors, indicating that they have the systems in place to safeguard sensitive PHI in email. Messaging apps leverage the speed and convenience of a mobile device. They also fulfill the security requirements of the HIPAA Security Rule by assigning authorized users with unique login credentials (with two-factor or multi-factor authentication), implementing activity monitoring, and creating audit trails. The email security platforms encrypt all emails containing PHI – both in transit and at rest. Strong administrative controls prevent unauthorized access to PHI, and remotely delete messages from a device if it is lost or stolen.
It’s also vital to implement and maintain strict email security policies, and to train healthcare employees. If employees use devices safely, can recognize and block malicious (phishing) emails, always check the intended recipient of an email containing PHI, and never share credentials with unauthorized parties, they can help protect ePHI in emails.
Finally, healthcare organizations should limit the number of people who can access PHI to reduce the risk of HIPAA violations. They should also establish proper safeguards such as strong endpoint security technology, patch and update all software, and strengthen cloud security to combat breaches and avoid HIPAA fines. Email security is just one aspect of cybersecurity. Healthcare organizations must implement all these strategies to protect PHI, patients, and themselves.
Conclusion
Email security is a vital element of HIPAA compliance. Healthcare organizations and their business associates must implement effective strategies to combat threats to PHI. Failure to do so can not only damage the reputation of the organization, but also endanger their patients’ information, and even their lives.
