The HIPAA email encryption requirements are that, when emails contain electronic Protected Health Information (ePHI), the emails must be encrypted to a minimum standard unless encryption is found to be an unreasonable or inappropriate safeguard in a risk assessment.
HIPAA and the HIPAA Email Encryption Requirements
Covered entities and business associates that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) must ensure the confidentiality, integrity, and availability of ePHI. This involves implementing certain safeguards to protect ePHI at rest and in transit. One of those safeguards is the encryption of ePHI.
The HIPAA Security Rule has required and addressable specifications. Required specifications must be implemented for HIPAA compliance, whereas addressable specifications offer a degree of flexibility. A covered entity can choose to implement the addressable specification, implement alternatives that provide an equivalent level of protection, or choose not to implement the specification if it is determined to be unreasonable and inappropriate.
Encryption is an addressable specification in the HIPAA Security Rule. However, emails are sent over open networks and by default are sent in plain text. If an unauthorized individual was able to intercept messages in transit from email server to email server, the content of the messages could be viewed and information in the emails could also be altered. Encryption is the only feasible way in which to prevent unauthorized access due to “man-in-the-middle” attacks.
When emails are encrypted, the content of the messages, including any email attachments, are converted to ciphertext, which renders the content of the messages indecipherable without the keys to decrypt the messages. Those keys are only held by the sender and the intended recipients of emails. To meet the HIPAA email encryption requirements, the algorithm used to encrypt ePHI in transit should meet current NIST guidelines (TLS 1.2, OpenPGP, S/MIME, etc.).
With regards to ePHI at rest – in a user’s inbox or cloud archive – guidance published by the Department of Health and Human Services (HHS) states the minimum encryption standard necessary to comply with the HIPAA email encryption requirements is Advanced Encryption Standard (AES) 128-bit or higher. It should be noted that several HIPAA-compliant cloud service providers are in the process of upgrading their encryption standards to AES 256.
When do the HIPAA Email Encryption Requirements Apply?
The HIPAA email encryption requirements only apply to emails that contain ePHI, so if no ePHI is sent via email, encrypting emails might be unreasonable and inappropriate. It is also possible to protect emails in other ways. For example, if emails containing ePHI are only ever sent internally, there will likely be other safeguards in place that renders encryption inappropriate. For example, emails never pass beyond the protection of the firewall and access controls are in place to restrict access and prevent unauthorized individuals from accessing email data.
A risk analysis should be conducted to determine if an addressable implementation specification is reasonable and appropriate, and the decision to encrypt or not will depend on the extent to which risks have been mitigated by other measures. When the decision is taken not to implement an addressable standard such as encryption, as it is not determined to be “reasonable and appropriate,” the decision must be documented.
The reason(s) why the standard has not been implemented as suggested in the HIPAA text must be documented, the equivalent alternative measure(s) that were implemented that provide an equivalent level of protection must be recorded, and also the facts to support that decision. The documentation will need to be provided to regulators during audits and investigations to demonstrate that the HIPAA standard has not been overlooked.
The Implementation of Email Encryption
The HIPAA email encryption requirements are detailed in 45 CFR § 164.312(a)(2)(iv) and 164.312(e)(2)(ii). Respectively they require HIPAA-regulated entities to “implement a mechanism to encrypt and decrypt electronic protected health information [at rest], and “implement a mechanism to encrypt electronic protected health information [in transit] whenever deemed appropriate.”
There are several ways in which covered entities and business associates can comply with the HIPAA email encryption requirements. If the mail server is hosted on-premises, they can implement systems that generate, manage, and rotate encryption keys. In this scenario, it is a best practice to also encrypt the encryption keys and ensure they are stored in a different location from the data they have encrypted.
The second method is to subscribe to a HIPAA compliant email service that supports email encryption (i.e., Google Workspace) and configure the email service to comply with the HIPAA email encryption requirements. (Note: some Google Workspace accounts support S/MIME encryption which encrypts the content of the email rather than the channel through which the email is delivered. Check which is best for your organization).
A further way to comply with the HIPAA email encryption requirements is to implement an email encryption service – either to encrypt emails containing ePHI sent from an on-premises mail server or to stand in front of a service such as Google Workspace. In all cases in which an external service is used to comply with the HIPAA email encryption requirements, it is necessary to enter into a Business Associate Agreement with the service provider.
Other Email Encryption Considerations
Simply implementing encryption will not make your emails HIPAA compliant. No technology can guarantee HIPAA compliance as it depends on how that technology is used. Errors could easily be made by employees that could violate HIPAA, such as if you have a policy that requires employees to click to encrypt messages that contain ePHI, a mistake could be made, and an email may not be encrypted. Safeguards can be implemented to prevent this. Staff should receive HIPAA security training, you could enforce encryption for all external messages, or use a solution with keyword recognition that can automatically detect ePHI in emails and enforce encryption.
You must obtain consent from patients before sending their ePHI via email and warn them that communicating via email involves a privacy risk if emails can be opened by anybody with access to the recipient’s device. If a patient is willing to accept those risks, then emails containing ePHI can be sent. If in doubt about the HIPAA email encryption requirements, seek legal advice from a healthcare attorney that specializes in HIPAA compliance or a compliance vendor.