HIPAA Email Encryption Requirements
In this post, we provide an explanation of the HIPAA email encryption requirements to help HIPAA-covered entities and their business associates ensure their email is compliant with the HIPAA compliance rules and offer recommendations on how encryption should be implemented.
HIPAA and Encryption
Healthcare organizations and their business associates that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), which involves implementing certain safeguards to protect ePHI at rest and in transit. One of those safeguards is the encryption of ePHI.
The HIPAA Security Rule has required and addressable specifications. Required specifications must be implemented for HIPAA compliance, whereas addressable specifications offer a degree of flexibility. A covered entity can choose to implement the addressable specification, implement alternatives that provide an equivalent level of protection or choose not to implement the specification if it is determined to be unreasonable and inappropriate.
Encryption is an addressable specification in the HIPAA Security Rule. If you want to protect email against unauthorized access in transit, encrypting the content of messages will achieve that purpose. Emails are sent over an open network and by default are sent in plain text. If an unauthorized individual was able to intercept messages in transit from email server to email server, the content of the messages could be viewed and information in the emails could also be altered.
When emails are encrypted, the content of the messages, including any email attachments, are converted to ciphertext, which renders the content of the messages indecipherable without the keys to decrypt the messages. Those keys are only held by the sender and the intended recipients of emails. To meet the HIPAA email encryption requirements, the algorithm used to encrypt messages should meet current NIST guidelines – Advanced Encryption Standard (AES) 128-bit, 192-bit, 256-bit; Triple DES, OpenPGP, and S/MIME, for example.
When do the HIPAA Email Encryption Requirements Apply?
The HIPAA email encryption requirements only apply to emails that contain ePHI, so if no ePHI is sent via email, encrypting emails would be unreasonable and inappropriate. It is also possible to protect emails in other ways. For example, if emails containing ePHI are only ever sent internally, there will likely be other safeguards in place that renders encryption inappropriate. For example, the emails never pass beyond the protection of the firewall and access controls are in place to restrict access and prevent unauthorized individuals from accessing email data.
A risk analysis should be conducted to determine if an addressable implementation specification is reasonable and appropriate, and the decision to encrypt or not will depend on the extent to which risks have been mitigated by other measures. When the decision is taken not to implement an addressable standard such as encryption, as it is not determined to be “reasonable and appropriate,” the decision must be documented. The reason(s) why the standard has not been implemented as suggested in the HIPAA text must be documented, the equivalent alternative measure(s) that were implemented that provide an equivalent level of protection must be recorded, and also the facts to support that decision. The documentation will need to be provided to regulators during audits and investigations to demonstrate that the HIPAA standard has not been overlooked.
The Implementation of Email Encryption
The HIPAA email encryption requirements are detailed in 45 CFR § 164.312(a)(2)(iv) and 164.312(e)(2)(ii) and require HIPAA-regulated entities to “Implement a mechanism to encrypt and decrypt electronic protected health information, and for transmission security, “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” The method and type of encryption that should be used are not specified.
Two of the ways that data can be encryption are Transport Layer Security (TLS) and end-to-end encryption. With TLS, emails are encrypted in transit only, whereas, with end-to-end encryption, the messages are encrypted during transit but also at rest on the server. With TLS, the encryption terminates when the message arrives at the server. That means that anyone with access to the server can view the emails. With end-to-end encryption, the recipient must authenticate to decrypt the messages. End-to-end encryption, therefore, provides the greatest protection against unauthorized access. While both types of encryption can satisfy the HIPAA email encryption requirements, TLS is not HIPAA-compliant by itself. If the encryption fails, which it may do if the email service removes the encryption as it cannot process encrypted messages, the email would not be encrypted. Replies would also not be encrypted.
Other Email Encryption Considerations
You should bear in mind that the vendor used to encrypt messages will be classed as a business associate under HIPAA. The HIPAA email encryption requirements call for the HIPAA-regulated entity to enter into a business associate agreement with the email encryption provider. If the vendor is not willing to sign a BAA, you should seek a different encryption vendor.
Simply implementing encryption will not make your emails HIPAA compliant. No technology can be HIPAA-compliant, as it depends on how that technology is used. Errors could easily be made by employees that could violate HIPAA, such as if you have a policy that requires employees to click to encrypt messages that contain ePHI, a mistake could be made, and an email may not be encrypted. Safeguards can be implemented to prevent this. Staff should naturally be trained, but you could enforce encryption for all external messages, or use a solution with keyword recognition, that can automatically detect ePHI in emails and enforce encryption.
You must obtain consent from patients before sending their ePHI via email and warn them that communicating via email involved a privacy risk. If a patient is willing to accept those risks, then emails containing ePHI can be sent. If in doubt about the HIPAA email encryption requirements, seek legal advice from a healthcare attorney that specializes in HIPAA compliance or a compliance vendor.