HIPAA Compliant Emails

Posted by RPost on September 23rd, 2022

How to Make Your Emails HIPAA-Compliant

Enacted in 1996, the Health Insurance Portability and Accountability Act or HIPAA is gold standard for protecting sensitive patient data. And any business dealing with protected health information (PHI) must ensure that the required security measures are implemented and followed. This includes all the communications related to electronically protected health information (ePHI), which makes HIPAA compliance for emails an imperative.

Of course, this isn’t just a plain directive. HIPAA violations over the years have skyrocketed. The Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. reported an average of 59 data breaches each month in 2021 with healthcare data breaches itself numbering up to 712 between January 1 and December 31. The penalties have also been solid, with the OCR reportedly receiving 7, 150 as settlements in 2021.

For any healthcare organization dealing with ePHI, the ability to secure and track communications is crucial. But there is a lot of confusion when it comes to complying with HIPAA guidelines. Let’s dig deeper into the situations that demand HIPAA compliance.

When Should You Comply with HIPAA?

Healthcare organizations share a lot of confidential medical information via emails in messages and as attachments. HIPAA mandates the protection of such ePHI both at rest and in transit. Here are a couple of situations where this is applicable.

• Every time your email travels from one network to another, i.e., every time it’s in transit.
• While sitting on your or your recipients’ servers and local workstations/devices, i.e., every time it’s at rest.
• If the ePHI is within the body text or as part of an attachment.
• Emails sent to your own secure server with remote access from your work laptop.
• Emails sent to your own secure server from your personal email on your home computer to your work email.
• Mass emailers with ePHI; for example, as a part of some campaign.
• Replying to an unencrypted email.
• Therapists replying to a patient.

These are only a couple of scenarios from a long list of HIPAA email compliance for healthcare organizations. A lot of organizations are using cloud-based servers these days to digitize their processes and sharing a lot of information, including ePHI over the cloud. While sharing information over the cloud is definitely much faster and simpler, steps must be taken to protect the confidential information.

If you must use an online email service, ensure you sign a Business Associate Agreement (BAA) with the provider. BAA is a written arrangement that specifies each party’s responsibilities when it comes to PHI. Two of the most popular email service providers - Microsoft and Google – have BAAs in place. However, the BAA typically only covers the servers; you as an organization would be responsible for protecting the rest of the email chain.

What Makes Your Email HIPAA Compliant?

The obvious answer – email encryption. However, as technologies advance and threats get ever more sophisticated, encrypting email for privacy compliance is not getting simpler. Email or cyber security jargon like transport layer security (TLS) are thrown around like a catch phrase. But, “Not all TLS is created equal. Not all email one thinks is going by TLS, in fact is transmitted securely,” says Steve Anderson, an insurance technology expert. The devil is in the details.

Transport Layer Security (TLS) is a cryptographic protocol that provides end-to-end data encryption between applications over the Internet. It is mainly used when you communicate from your web browser to a web server. It’s simple for the browser to display “insecure” connections, pop-up warnings, or disable a page display.

But, with email, there are some typical challenges. For instance, when you log-in to Gmail via Chrome or any other browser, the connection from your device to the Google email server is generally secure. But what happens to the email after you hit the send button, when it leaves Google’s Gmail server onward to the recipient?

This is where “opportunistic encryption” may or may not be used by some email providers. In simple terms, it means the email provider tries to send the email first with a secure TLS email transmission (SMTP) if the “opportunity” presents itself. If the message can’t be sent securely, it reverts to less secure or insecure transmission, automatic, and invisibly.

The Gmail transparency report says 88 to 91% of inbound and outbound email to and from Gmail are sent using TLS. This means, typically, more than 10% is sent and received without any security. The scenario isn’t much different with Office 365 hosted emails. And, it gets worse. None of these transparency reports make any distinction between the many TLS connections, which may or may not be secure. Generally, there are versions with varying security; TLS 1.0, TLS 1.1, TLS 1.2, and now TLS 1.3, with TLS 1.0 typically accounting for 15% of transmissions.

If you need to take simple calculations into account, let’s consider an organization sending out 500 emails daily. Out of this, it’s quite possible that about 50 randomly-selected messages (and its attachments) would be transmitted without any encryption, while about 75 other randomly-selected messages will be sent with insecure TLS (like 1.0). This poses severe risks of falling out of compliance and being subject to litigation and fines.

This is a big problem when sharing sensitive information such as ePHI. It’s here where RMail, the award-wining email security solution from RPost, can help with its auto-fallback capability. Its technology is well positioned to satisfy HIPAA rules and technical safeguard provisions regarding the preservation and secure transmission of ePHI. RMail sends messages using its end-to-end encryption service, and doesn’t store ePHI on the company’s central server.

For more information: https://rmail.com/learn/hipaa-compliant-emails