If you are in the medical field, this is a significant question. Unfortunately, many email systems used are not HIPPA compliant. What are some things you need to know if ensure compliance?
HIPAA (Health Insurance Portability and Accountability Act) compliance is an essential aspect of healthcare industry security. It requires that electronically Protected Health Information (ePHI) be secure and confidential during transmission, storage, and retrieval. One of the most common ways of transmitting ePHI is through email. This article will discuss HIPAA-compliant emails, how emails work, and where security flaws can pop up.
HIPAA compliant emails must meet specific criteria. All ePHI must be encrypted at all stages of delivery and storage, a minimum of 6-year storage is required, and those emails must be encrypted at rest. End-to-End encryption is required for all ePHI communication, and you need to provide warns in email correspondence with the client about the danger of sending any emails unencrypted.
Providing a way for clients to send end-to-end encrypted emails with ePHI will help defend against compliance issues.
Emails travel from sender to receiver and back to the sender in a process that involves several stages. Let us take a closer look at these stages:
- Sender Composes Email The sender creates the email message and addresses it to the intended recipient.
- Sender Sends Email The email is sent from the sender’s email client to the SMTP (Simple Mail Transfer Protocol) server, and headers are added to the email message (behind to scenes) to track the Message from Mail Transfer Agent’s (MTA) to MTA.
- The MTA Server Sends the email to the next MTA using the SMTP. The server checks for any errors in the email message, adds its own header (like an address), and then routes it to the recipient’s email server or another MTA(depending on the destination).
- Recipient’s Email Server Receives Email The recipient’s email server receives the email and checks it for spam, viruses, and other security threats.
- Email Stored on Recipient’s Email Server If the email passes the recipient’s email server’s security checks, it is stored on the recipient’s email server.
- Recipient Reads Email The recipient accesses their email client to read the email.
- Recipient Replies to Email If the recipient chooses to reply to the email, the email message goes through the same process in reverse.
- The Message is stored on the email server and/or on the recipient’s UA (User Agent)(Outlook, Thunderbird, or some other software).
As you can see, there are a lot of steps to the email process – and many ways an attacker can access the Message. One issue is that some think that setting their UA with SSL/TLS encryption makes it encrypted during the whole process, this is not the case. It only makes it encrypted during the delivery from MTA to MTA (by adding an encryption layer to SMTP); it’s not encrypted during rest or outside of SMTP.
In 2013, the way emails fall under HIPPA guidelines changed. Not all levels of encryption are the same; SSL/TLS (like what you would set up in your Outlook) would be good for none ePHI related emails but not for emails containing ePHI. Guidelines produced by NIST ( National Institute of Standards and Technology) recommend AES 128, 192, or 256-bit encryption or OpenPGP and S/MIME (both are end-to-end encryption)
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that are used to secure email transmissions. SSL and TLS encrypt the email message, making it unreadable to anyone intercepting the transmission. SSL and TLS also ensure that the email is sent to the intended recipient and has not been tampered with during transmission.
While SSL/TLS encryption can provide an essential layer of security for emails, it is not a complete solution, and there are still ways that an encrypted email can be compromised. Additionally, SSL/TLS by itself does not make an email HIPAA compliant, as there are other security and privacy requirements that must be met(some of which we talked about already).
One way that an SSL/TLS encrypted email can be compromised is through a man-in-the-middle (MITM) attack. In a MITM attack, an attacker intercepts the encrypted email transmission and is able to decrypt the Message by using their own SSL/TLS certificate. This allows the attacker to view the contents of the email message, potentially exposing any sensitive information contained within it. To prevent MITM attacks, it is essential to verify the authenticity of SSL/TLS certificates and use secure communication channels.
Another way that an encrypted email can be compromised is through a phishing attack. In a phishing attack, an attacker impersonates a trusted entity, such as a healthcare provider, and convinces the recipient to provide sensitive information or click on a malicious link. SSL/TLS encryption does not protect against phishing attacks, and it is essential for individuals to be vigilant and cautious when responding to emails, especially those that contain sensitive information.
Additionally, HIPAA compliance requires more than just SSL/TLS encryption for email transmissions. Other requirements include access controls, audit logs, risk assessments, and end-to-end encryption (which we will talk about here soon). Encryption is just one component of a comprehensive security plan, and healthcare organizations must ensure that all security and privacy requirements are met to maintain HIPAA compliance.
End-to-end encryption is a security measure that ensures that only the intended recipient can read the email message. End-to-end encryption encrypts the email message on the sender’s device and decrypts it on the recipient’s device. This means that even if the email is intercepted during transmission or stored on an email server, it cannot be read by anyone other than the intended recipient. End-to-End Encryption is HIPAA compliant as long as the Message stays encrypted during rest and during storage.
This means the location of the Message in storage must remain encrypted for at least six years.
The critical item to remember with HIPAA emails:
- When communicating ePHI to a patient, warn the recipient of the risks of communicating ePHI when not using end-to-end encryption.
- Obtain their consent to receive communications by email and document both the warning and the consent.
- Have end-to-end encryption on all ePHI, and make sure all ePHI is encrypted during storage.
- Obtain a BAA(Business Associate Agreement) with the provider. If you don’t have a BAA with your email provider, your email is not HIPAA compliant.
Emails are an effective way of communication with clients, as long as ePHI is protected and other security measures are put in place, such as checking the email address for accuracy before sending or sending an email alert to the patient for address confirmation prior to sending the Message.
HIPAA-compliant emails must be secure and confidential during transmission, storage, and retrieval. This is achieved through appropriate encryption and security measures such as end-to-end encryption. Therefore, it is essential for healthcare organizations to understand the email transmission process and implement appropriate security measures to ensure HIPAA compliance.
For a more detailed article on HIPAA emails, please see the HIPAA Journals article on HIPAA Compliant Emails. “How to Make Your Email HIPAA Compliant” By HIPAA Journal
For other references:
“Does the HIPAA Privacy Rule Permit Health Care Providers To Use Email To Discuss Health Issues And Treatment With Their Patients?” By the U.S Department of Health & Human Services
“HIPAA EMAIL RULES” By The HIPAA Guide
Please contact us if you have questions or want a free consultation. We look forward to meeting you.