What HIPAA says about email encryption

According to the HHS, "If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text." 

Healthcare organizations are responsible for safeguarding protected health information (PHI), including medical records, test results, and insurance information. With cybercriminals targeting this valuable data, healthcare organizations must implement security measures to protect patient privacy and comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA).

What does HIPAA say about encryption and ePHI?

HIPAA guidelines mandate that emails containing ePHI sent outside an organization's internal network should be secure, which is best handled by encryption. Encryption ensures that the contents of the email remain inaccessible if intercepted. 

While HIPAA does not explicitly require encryption, it is strongly advised, especially when sending emails to external servers. If encryption is not used, alternative security measures must be in place to secure data at rest and in transit. 

Entities are responsible for assessing the appropriateness of encryption based on a risk analysis. This analysis evaluates threats to data availability, integrity, and confidentiality. Based on the findings, entities must develop a risk management plan that addresses identified risks with encryption or a comparable alternative. The choice of encryption method should be documented, along with the reasoning behind it.

However, according to the study titled Email security in clinical practice: ensuring patient confidentiality, "emailing or faxing unencrypted patient health information is really no more secure than sending that information on a postcard," and "those physicians who wish to send personal health information by email should use an encrypted or otherwise secure system."

Read more: 

• Do emails have to be encrypted for HIPAA compliance?
• What are HIPAA email encryption requirements? 
• What is encryption? 

Ensuring compliance with encryption services

While Google Workspace and Microsoft 365 are popular email providers, their built-in encryption services have limitations. 

Google Workspace's email service is HIPAA compliant only when used with a business domain and configured for end-to-end encryption. Microsoft's Office 365 Enterprise plans support HIPAA compliance, but other versions, like the Office 365 for Business plan, do not. Organizations using these providers should carefully configure and use the services correctly to ensure compliance.

• Business associate agreement (BAA): Before using an encryption provider's service to send any emails containing PHI, ensure the provider signs a BAA. This agreement outlines the responsibilities of both parties in maintaining the confidentiality of patients' PHI.
• Written consent: Obtain written consent from patients before sending any PHI via email, even if using a HIPAA compliant email provider. Patients need to be informed about the associated risks and explicitly agree to accept those risks before PHI is sent via email.
• Secure email archiving: Store all emails containing PHI in a secure archive, including documentation related to the use of encryption. The retention period for this information is typically six years, but it's necessary to check state laws for specific requirements regarding email archiving for HIPAA compliance.

Why do you need to encrypt your emails?

The Email security in clinical practice study also mentions, "There are three loci at which someone could intercept and potentially read the clinic notes: the sender's computer; any of the mail servers that relayed the email; and the recipient's computer. Even if one demands that the sender and the recipient be responsible for securing access to their computers, copies of the email are generated at each of the servers; confidentiality could be breached at any one of them."

Therefore, as a healthcare organization, there are several reasons why emails should be encrypted:

• Secure patients' PHI: Protecting sensitive patient information, such as electronic PHI, is a priority for healthcare organizations. Secure sharing and collaboration on this information are necessary to provide patients with the treatment needed. Encryption helps prevent unauthorized access to PHI, reducing the risk of data breaches and business email compromise (BEC) attacks.
• Protect reputation: Data breaches can have severe consequences, including damage to an organization's reputation. When patients entrust their personal data to a healthcare organization, they expect it to be kept safe and secure. Failure to do so can lead to losing trust and patients seeking alternative providers.
• Save costs: Implementing an encryption solution enables secure and efficient digital document delivery, reducing the need for printing physical copies. This can result in significant savings on printing expenses, which can add up over time.
• Achieve compliance: Healthcare organizations must comply with data protection regulations, such as HIPAA. Encryption helps organizations demonstrate their commitment to securing PHI and meeting regulatory requirements.

Read also: What are Business Email Compromise attacks? 

What features should you look for in an encryption solution?

Choosing the right encryption solution for your healthcare organization can be challenging, given the variety of options available. Here are some features to consider when evaluating encryption solutions:

• Security: Encryption should be used to ensure that only the intended recipient can decrypt the data.
• Ease of deployment, integration, and scalability: Choose a solution that is easy to deploy and integrate with existing user management tools and security systems. 
• Ease of use for end users: Select an encryption solution that is user-friendly for both senders and recipients. Ideally, encryption should be done by default on the sender's side and not require multiple steps for the recipient to receive it.
• Auditing and reporting capabilities: Look for an encryption solution that provides auditing and reporting capabilities.

Our recommendation: Paubox

Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. You don't have to decide which emails to encrypt, and your patients can conveniently receive your messages right in their inbox—no additional passwords or portals are necessary. 

It's a seamless and stress-free experience. Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox allows users to write and send emails as normal from a laptop, desktop, and mobile device. Recipients can view messages and attachments without entering extra passwords, downloading an app, or logging in to a portal. 

This reduces the risk of accidentally sending PHI over email. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes, a user may not realize that certain information is also PHI.

Learn more: HIPAA Compliant Email: The Definitive Guide 

FAQs

Does HIPAA apply to email?

Yes, HIPAA regulations require covered entities to protect electronic PHI in transit, at rest, and in storage. Implementing email encryption is a necessary step in achieving HIPAA compliance.

Do I need consent to send encrypted emails containing PHI?

Yes, written consent from patients is generally necessary before sending PHI via email, even if using a HIPAA compliant email provider. Patients need to be informed about the associated risks and explicitly agree to accept those risks. However, there are exceptions for treatment, payment, and healthcare operations emails. 

What can I use to encrypt emails and ensure HIPAA compliance?

To ensure HIPAA compliance when encrypting emails, you can use Paubox. Paubox offers a HIPAA compliant email encryption solution that secures the transmission of sensitive information in emails, ensuring they meet HIPAA regulations.