What are HIPAA email encryption requirements?

Featured image

Share this article

Healthcare professional with laptop making a call on smartphone

HIPAA email encryption requirements can be confusing because of the lack of clear instruction that leaves the rules open to interpretation. As a result, some question whether email encryption is truly a HIPAA requirement.

For example, the encryption requirements around Protected Health Information (PHI) are called “addressable” in the security rule. HIPAA encryption requirements for transmission state that covered entities should encrypt PHI “whenever deemed appropriate”.

What are HIPAA email encryption requirements?

HIPAA encryption requirements are specified by two main terms, “required” and “addressable”. 

Those labeled “required” must be put in place or it’s considered a failure to comply with HIPAA. Those that are called “addressable” only have to be implemented after a risk assessment has determined that encryption is needed for managing risks to PHI. 

You must document your reasoning behind that decision. In addition, implement an equivalent solution to safeguard PHI if your organization determines that encryption is not appropriate.

Since there is not an appropriate alternative for protecting PHI other than encryption, it’s effectively required. Not using encryption is risky for your patient’s information and your organization. 

Understanding HIPAA email encryption

The Department of Health and Human Services (HHS) wants to allow organizations to select the best solution for their individual needs. 

HHS realizes they can’t demand covered entities use specific security technologies because of the constant need to stay current. 

This doesn’t mean that encryption can be overlooked, only that an organization has to document a reason why action hasn’t been taken. Plus, an alternative method must be used and its details made available to the Office for Civil Rights (OCR) in the case of an audit. 

HIPPA email security and encryption requirements

HIPAA encryption requirements apply to every part of an organization’s IT system, including cloud servers and smartphones. 

The increased use of mobile devices in the work environment make it more complicated to comply with the encryption requirements. So, it is a challenge to include safeguarding PHI both at rest and in transit. 

Third-party providers like Paubox can provide end-to-end encryption to ensure that your emails are protected even in transit. 

 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022