Healthcare organizations must understand and follow the HIPAA Act to ensure the safety of patients' protected health information (PHI). No matter what form it takes. And one of the most common ways healthcare practitioners share PHI is through email.
Unfortunately, email is one of the most vulnerable threat vectors for data breaches. While email is convenient, healthcare organizations must guarantee that they take proper precautions and enable HIPAA compliant email. This can be done by following HIPAA's guidelines, like the Security Rule.
So, what does the HIPAA Security Rule say about email? How can healthcare practitioners keep their patients' PHI secure in an email?
The HIPAA Security Rule: A recap
The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect the privacy of patients and their information. Most referenced is Title II, as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form. Within Title II is the Security Rule, which establishes requirements for protecting ePHI, including in email. The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure.
The Security Rule requires covered entities and business associates to implement layers of administrative, physical, and technical safeguards. Administrative safeguards focus on policies and procedures, physical safeguards on physical facilities, and technical safeguards on cybersecurity.
With the right mix of tools, healthcare organizations can fortify ePHI and stop breaches from occurring. The rule ensures the confidentiality, integrity, and availability of ePHI. But it also allows healthcare organizations to adopt new technologies to improve the quality and efficiency of patient care.
Related: Top 3 ways email gets hacked
How does the Security Rule apply to email communication?
HIPAA does not prohibit sending ePHI in an email; at the same time, it does not provide specific guidelines for email protection. Instead, the act enforces requirements for the security of ePHI in an email through the Security Rule. The rule provides the means to ensure email is HIPAA compliant for practitioners to use in day-to-day communication.
Generally, to comply with HIPAA, healthcare providers must implement the safeguards as laid out in the Security Rule. HIPAA expects covered entities to employ access, audit, integrity, and transmission controls as discussed in the administrative, physical, and technical safeguards. It does so knowing that not all security tools are helpful to all organizations.
The Security Rule includes addressable and required specifications to give covered entities flexibility. For example, email encryption is addressable rather than required (though there is no appropriate alternative, making it effectively mandatory).
In other words, it is up to every healthcare organization to read and understand HIPAA before creating a comprehensive plan. Without one, the chance of a breach or HIPAA violation is high.
Related: How to send HIPAA compliant emails
Why must email be HIPAA compliant?
Patients want healthcare providers to use email communication, but many within the industry are still nervous about it. Email, however, is a convenient and effective method for healthcare organizations to directly engage with their patients. There is no reason for organizations to be concerned if they safeguard themselves with proper HIPAA email protections.
Not using HIPAA compliant email increases an organization's attack surface, allowing accidental and deliberate breaches. And no matter the type of breach, HIPAA violations can occur and become detrimental to an organization. Common violations include:
- Sending an unencrypted email
- Sending an email to the wrong recipient
- Including too much information in an email
- Including PHI without patient consent
- Utilizing weak cybersecurity that allows unauthorized disclosure
- Lacking access controls
- Improperly disposing of PHI and ePHI
Improper protections undoubtedly lead to HIPAA violations, fines, and corrective plans. Healthcare organizations, therefore, must utilize strong email security to ensure HIPAA compliance.
HIPAA compliant email checklist
Email is best when HIPAA compliant, provided healthcare organizations follow the guidelines and implement robust security measures. By adhering to the HIPAA rules, organizations can use email as a compliant means of communication.
Here is a checklist to properly ensure the use of HIPAA compliant email.
- Use a HIPAA compliant email service provider. Get the company to sign a business associate agreement and review their security with them.
- Verify the use of layered, customizable cybersecurity tools. Employ defensive (i.e., perimeter) and offensive strategies to block breaches.
- Maintain up-to-date access controls, e.g., complicated passwords and multifactor authentication.
- Obtain written consent from patients to use and disclose PHI.
- Encrypt and authenticate emails. Remove unencrypted PHI when sending any email.
- Follow the minimum necessary standard rule and only send essential information.
- Create and follow proper disposal procedures for emails in electronic and print form.
- Ensure policies and procedures are up to date and followed by staff.
- Train staff in compliance and cybersecurity so that they can properly send and receive emails.
- Perform regular risk assessments to assess and modify cybersecurity to remain HIPAA compliant.
And as always, stay on top of changes to HIPAA and other state/federal regulations.
Efficiency versus risk
Email is the most efficient way for healthcare professionals to communicate with colleagues and patients. However, it also poses a significant risk to the privacy and security of patients' ePHI. Understanding how to apply the HIPAA Security Rule to email is essential for all healthcare practitioners wanting to utilize the communication method securely.
Kapua Iao
