Should business associates use HIPAA compliant email?

In 2023, 37.5% of all HIPAA breaches, whether resolved or still under investigation, involved a business associate. This statistic shows why the business associates handling protected health information (PHI) need to be HIPAA compliant. These organizations often handle the storage, transmission and disclosure in ways that need to be protected.

See also: How to know if you’re a business associate

Why should business associates use HIPAA compliant email systems?

Based on a passage from the HHS website: “Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.” 

The need for compliance comes from the frequent handling, processing, and transmitting of PHI by business associates on behalf of covered entities. These email systems incorporate security measures like TLS 1.2 and higher degrees of encryption, which secures emails from the point of sending to receipt, and access control measures that only allow authorized personnel to view the PHI. 

They also provide detailed audit trails, which log every access and action taken on an email containing PHI, necessary for investigating breaches or proving compliance during audits. Email systems also often include mechanisms for secure email archiving, ensuring that PHI can be stored safely and retrieved as required by law, and obtaining electronic PHI (ePHI) consent forms. 

What are the steps to ensure their email communication remains HIPAA compliant?

1. Select a secure email solution: Choose a reputable and HIPAA compliant email service provider like Paubox.
2. Implement encryption: Enable encryption for emails in transit (during transmission) and at rest (when stored).
3. Establish policies and procedures: Develop and implement internal policies and procedures specific to HIPAA compliant email communication. These should cover how PHI is handled, transmitted, and stored.
4. Secure patient information: When sending emails containing PHI, encrypt both the message content and any attachments. 
5. Use strong authentication: Implement strong user authentication methods, such as multi factor authentication (MFA).
6. Monitor email communication: Employ audit controls and monitoring systems to track email communication containing PHI.
7. Dispose of PHI securely: When PHI is no longer needed, ensure secure disposal, both in emails and backups. Follow appropriate data retention and destruction policies.

See also: HIPAA compliance for email in 3 easy steps

Email encryption techniques

Here are five methods for encrypting email:

1. Transport Layer Security (TLS): When an email is sent through a TLS connection, the data is encrypted during transit, preventing unauthorized access. However, it's necessary to note that only TLS versions 1.2 and 1.3 are considered secure. Additionally, if the recipient's mail server doesn't support TLS via StartTLS, the email may be sent in an unencrypted form - Paubox solves this problem by defaulting to a secure message center.
2. Pretty Good Privacy (PGP): PGP employs public key cryptography to encrypt email messages and attachments. The sender uses the recipient's public key to encrypt the email, which can only be decrypted with the recipient's private key. While this method theoretically ensures security, PGP has faced criticism for security vulnerabilities, including the EFAIL vulnerability discovered in 2018. PGP also requires users to manage their own public and private keys, making it complex for non-technical users. Integration with email clients often necessitates additional software and plugins, limiting its adoption due to usability issues.
3. Secure/Multipurpose Internet Mail Extensions (S/MIME): S/MIME is a standard for public key encryption and signing of email MIME data, including attachments. Both the sender and recipient must possess a digital certificate for encryption and signing. Like PGP, S/MIME has faced security vulnerabilities, including EFAIL, without clear evidence of patches. Its complexity and difficulty in setup and use, particularly in larger organizations, hinder widespread adoption.
4. Portals: Portals redirect email recipients to a web page for viewing encrypted messages. However, this approach introduces friction and a poor user experience, especially on smartphones where the majority of emails are now accessed. Additionally, portals pose challenges for backups and eDiscovery, as emails may be stored remotely and in an unreadable format.
5. Apps: In response to low portal adoption, email security vendors developed smartphone apps for email encryption. While these apps aim to enhance security, they suffer from user friction and a suboptimal user experience, particularly for desktop users. Data accessibility and eDiscovery challenges persist, similar to the portal approach.
   
   

FAQs

What is a business associate?

A business associate is an individual or entity that performs certain functions or activities on behalf of healthcare organizations.

What is a covered entity?

Health plans, healthcare clearinghouse, or a healthcare provider.

Who recommended the email encryption standards healthcare organizations need to follow?

The National Institute of Standards and Technology (NIST).