Healthcare organizations deal with Protected Health Information (PHI) and therefore must ensure that all the necessary security measures are in place and followed.

Healthcare providers have access to private information such as patient’s medical history, family’s medical history, patient’s financial information (such as credit card or bank) or Social Security number.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standard for protecting sensitive patient data and all kinds of communication, storage and transmission of PHI should be HIPAA compliant, which also includes email communications.

However, mails sent internally may not be required to be HIPAA complaint. Mails that are sent externally beyond the firewall will need to be HIPAA-compliant.

Let’s take a look at a few applications of machine learning in healthcare.

HIPAA

HIPAA was established by the U.S. Department of Health & Human Services to set standards for protecting a patient’s healthcare information from public access.

HIPAA compliance rules apply largely to two broad categories of healthcare organizations as below:

Covered Entities (CE):

Health Plans, Health care clearinghouses, Health care providers involved in transmitting health information during the treatment, payment, or healthcare operations.

Business Associates (BA):

Entities that provides services to Covered Entities that requires them to access, store or disclose PHI.

PHI

PHI stands for “Protected Health Information.” PHI is anything that can identify a Patient’s medical information such as medical conditions, medications, radiographic images, and lab test results.

HIPAA compliance

To be HIPAA compliant, one must abide by the HIPAA Privacy and the Security Rules. The Privacy Rule requires to put in safeguards to protect the privacy of the health information by setting conditions on the use and disclosure of such information. Security Rule requires administrative, physical and technical safeguards to protect PHI.

HIPAA compliant emails

HIPAA compliant emails can be defined as email communications carried out in a secure and protected manner, ensuring that PHI is delivered securely to the recipient’s inbox. Once the email reaches the recipient’s inbox, it becomes the recipient’s obligation to secure any PHI they have in their inbox.

End-to-end encryption for email

Email encryption is to ensure that the information contained within the email cannot be intercepted or received by any party other than the intended recipient. To make emails HIPAA compliant one should ensure end-to-end encryption, wherein messages both in transit and stored are encrypted. As per HIPAA rules emails downloaded onto computers and smartphones also need to be encrypted.

Emails not only need to be encrypted in the sender’s server, but it is also imperative to ensure that the email remains encrypted when it is accessed by the recipient’s server. They would need to have access to the same level of encryption as the sender’s server.

Once the sender of an email hits the “Send” button, the email goes to the sender’s email server which then sends the email to the recipient’s email server following which the email gets delivered to the recipient’s inbox. Each server retains copies of the email, so every time the “Send” button is pressed there are numerous points along the way where email data is vulnerable to hackers. Therefore encryption is an extremely important safeguard to consider.

It is highly crucial to be aware of the type of encryption used and currently AES 128, 192, or 256-bit encryption standards are recommended.

HIPAA encryption requirements fall under “Required” and “Addressable” categories briefly described as below:

Required:

Requirements labelled “required” must be put in place or they are considered out of HIPAA compliance.

Addressable:

Such requirements need to be implemented only after a risk assessment has determined that encryption is needed for managing risks to PHI.

HIPAA-compliant business associate agreement with
email service providers

There are many email service providers that offer encrypted email services, but not all are HIPAA compliant incorporating all of the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. If a third party email service provider is used to transmit or host PHI, then a Business Associate Agreement (BAA) needs to be signed as per HIPAA mandate.

The BAA outlines the responsibilities of the service provider and ensure that administrative, physical and technical safeguards are in place thereby maintaining the confidentiality and integrity of PHI.

It is therefore of utmost importance to choose an email service provider that will sign the BAA for HIPAA compliance which essentially means that the service provider will be accepting the responsibilities for HIPAA compliance.

Ensure correct configuration of email

Simply using an email service that is covered by a BAA does not make your email HIPAA compliant. Even when a BAA is obtained, there are still risks associated with emails as one may fail to configure the email service correctly and violate HIPAA Rules.

HIPAA compliant email needs to be configured such that it’s hard for hackers to access. That includes strong, unique passwords and multi-factor authentication, log management system in place to meet the logging requirements of HIPAA. Such safeguards will create an audit trail and help thwart a potential breach.

Develop processes for training healthcare staff

Several data breaches have occurred as a result of errors made by healthcare staff such as accidental sending of ePHI via unencrypted email or the sending of ePHI to individuals unauthorized to view the information. Therefore it is imperative to put in place processes and workflows to ensure that the healthcare staff is properly trained on HIPAA compliance.

HIPAA compliant email archiving

As per HIPAA security rules, covered entities should maintain an email archive or at least ensure emails are backed up and stored.

As per the rule, healthcare providers need to retain electronic communications that contain PHI for at least six years during which there must be access and audit controls implemented to secure PHI and prevent inappropriate alteration or deletion.

It is recommended to use a secure, encrypted email archiving service rather than email backups. This serves to free up storage space, and since an email archive is indexed, searching for emails in an archive is a quick and easy process. If emails need to be produced for legal discovery or for a compliance audit, they can be quickly and easily retrieved.

It is of paramount importance to encrypt emails in the process of archiving which greatly aids in preventing data breaches.

An email archiving service provider will also be subject to HIPAA Rules as they will be classed as a business associate.

Patient Consent before communicating via email

Have a privacy statement at the end of all emails

As per HIPAA best practices, it is recommended to append a Privacy Statement to the end of every outgoing email stating that the email content is confidential. Also it is a good practice to include contact information should any issues arise.

Maintaining data security and privacy is of paramount importance for today’s healthcare providers and health insurance companies, especially when it comes to communicating patient health information via emails.

Sensitive and personal medical information obtained from email communications can be used to create fraudulent billings, manipulate the use of government programs or to obtain illegal services.

Emails have proved to be an efficient way for healthcare providers to communicate both internally among staff and externally with patients. Using a HIPAA-compliant email system greatly eases the burden of other cumbersome communication methods and provides patients with their information in a way that most people in today’s world want and need.

Resolve’s data security product – Kogni Health,

not helps in securing and monitoring sensitive data but also to discover and identify where does the sensitive data reside. Kogni health additionally helps with all regulatory compliances such as HIPAA, GDPR, CCPA and more. So it doesn’t matter whether you are a provider, a pharma company or a payer, Resolve will help you identify, secure and monitor your data. Call now to schedule a demo.

How to Make Your Email HIPAA Compliant

How to Make Your Email HIPAA Compliant

HIPAA

Subscribe to receive our newsletter
and get regular updates

How to Make Your Email HIPAA Compliant

HIPAA

Subscribe to receive our newsletter and get regular updates

Subscribe to receive our newsletter
and get regular updates