How to be HIPAA Compliant with an Email Encryption Software

466 incidents.

304 with confirmed data disclosure.

According to the Verizon Data Breach report, these are the numbers that reflect the healthcare industry's real state of affairs in 2019.

Make no mistake, healthcare organizations are responsible for the most valuable asset — patient health information. It is the only industry with more internal actors (59%) behind data breaches than external (42%). 

The major part of meeting HIPAA requirements is email.

Email helps practices to stay in contact with their patients and communicate with other healthcare specialists on a daily basis.

To provide secure email communication, businesses need to use the technology that fulfills their particular goals.

Also, risks should be analyzed, and messages should be kept encrypted to eliminate potential threats associated with unauthorized access.

What Does HIPAA Stand For?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act.

The HIPAA act establishes regulations for processing, storing, securing, and protecting Protected Health Information (PHI).

All medical organizations, including hospitals, practices, and medical institutions, engaged in the processing of patient private information, must comply with the HIPAA regulations.

HIPAA Privacy and Security Rules

The act prohibits disclosing a patient’s personal identifying information by any means. The Protected Health Information can be held in digital, paper, or oral form.

The HIPAA also set rules that must be applied to protect health information that is transferred in electronic form, electronic Personal Health Information (ePHI). Electronic PHI, wherever it’s shared, should maintain HIPAA compliance.

The following types of data relating to ePHI:

• A patient's:
  • Name; 
  • Address; 
  • Birthdate; 
  • Social Security Number.
• A patient's physical/mental health condition.
• A patient's payment history for the provided care.
• Patient’s medical records:
  • Lab results; 
  • Diagnoses; 
  • Treatments;
• Different types of documents:
  • X-ray pictures;
  • Test files, medical scans, etc.

What Does it Mean to be HIPAA Compliant?

Several criteria should be applied to adhere to HIPAA requirements.

Business Associate Agreement. Business Associates are the ones who have access to patient personal information and provide support in treatment, payment, or other operations. Business Associates are required to sign an agreement that states they will protect a patient’s confidential information.

Confidentiality. Healthcare providers must ensure that parties involved in handling personal identifying information comply with the act. What it means is emails, containing sensitive information transmitted inside or outside of a medical institution, must be secured, and access rights must be determined.

Consent form. Health establishments must have a way that clients must fill out. By filling out such an agreement, clients give their permission to transfer emails.

HIPAA Compliant Email Software: Do's and Don'ts

Healthcare organizations shouldn’t send personal health information via email unless you are using secure encrypted email software. 

Since clinicians transfer patient personal information to other medical specialists via email, having HIPAA compliant encrypted email service is absolutely necessary.

Also, it is vital for organizations to ensure their emails are secured and protected in transfer, at rest and in use. 

And the best way to do it is to encrypt emails.

Does HIPAA Require Data Encryption?

HIPAA compliant email providers incorporate appropriate controls that are applied to ensure the confidentiality, integrity, and availability of ePHI.

In regards to data encryption requirements, HIPAA requires health organizations to assess the need for encryption. A HIPAA entity does not require to encrypt emails, provided an alternative control is used.

HIPAA compliant email providers must ensure their solution guarantees HIPAA requirements. According to HIPAA some HIPAA regulations, email services must provide authentication, integrity, and secure transfer of emails.

Encryption is necessary:

• when healthcare organizations submit payments via email, 
• contact other healthcare organizations, 
• contact patients.

But then again, risk analysis and risk management must be considered to determine the level of insecurity of sensitive data transferred via email.

Unencrypted Email Data: Risks

There are considerable risks of sending sensitive information via email. Emails are composed on a user device and sent to the open email relays via SMTP before they will be delivered to a recipient’s inbox.

The data breaches and fines that are followed by risks frequently happen, because traditional email communication channels were created to deliver regular messages, and not to secure them. 

For that reason, such ways of transferring emails are associated with mainly the two crucial risk factors. First is emails are originally sent in plain text. Second pertains to enormous internet threats such as man-in-the-middle attack, human factor, business email compromise, and phishing.

However, under no circumstances does it mean you can recon with the risks that concern SSL/TLS protocol.

Even if the healthcare organization’s email provider does have SSL/TLS encryption, that doesn’t necessarily mean emails will be delivered securely: If the recipient’s email provider doesn’t support SSL/TLS encryption, emails will be delivered in an unencrypted text.

HIPAA Violation Penalties

PHI breaches put healthcare organizations in situations where massive HIPAA non-compliance fines are.

Violating patient privacy reached its boiling point when penalties for non-compliance under HIPAA regulations had risen to $1,5M per incident.

The penalties for noncompliance are based on the level of negligence:

• The organization violated a regulation without knowing about the fact of a breach itself but with reasonable explanations. In this case, penalties are $100 to $50,000 per incident.
• The organization knew a violation took place but made immediate provisions for resolving it. In this case penalties are $1,000 to $50,000 per incident.
• The organization acted with willful neglect but was able to correct the issue within 30 days. In this case penalties are $10,000 to $50,000 per incident.
• The organization acted with willful neglect and failed to correct the issue. In this case, penalties are $50,000 per incident, up to $1.5 million.

In particular instances, violations can also carry criminal charges that can result in jail time.

HIPAA Violation Cases

Private practices are the most scrutinized by the Office of Civil Rights (OCR). A dermatology practice lost an unencrypted flash drive that contained personal health information. The group paid $150,000 fine.

Keeping your data encrypted across-the-board, on both portable and stationary devices, is out of the question.

Another HIPAA violation case occured when The Department of Health and Human Services issued fines Phoenix Cardiac Surgery for $100,000 for using insecure email services that were not HIPAA compliant. 

Stolen devices can be subject to fines too due to a HIPAA Privacy Act violation. 

In 2017, the OCR announced a $2.5 million settlement with CardioNet for alleged HIPAA violations when a laptop was stolen from a parked vehicle outside an employee's home. A laptop contained hundreds of patient medical records.

Looking back on what we’ve already covered, there is only one question left to ask.

How to Send a HIPAA Compliant Email? 

Encrypted email considerably reduces the risk of accidentally sending PHI over email.

Encrypted information will be accessible only to authorized recipients — and at the same time, it won’t be disclosed under no circumstances.

To communicate securely via email, StealthMail, the email security solution, provides advanced encryption algorithms that allow you to send HIPAA compliant emails inside and outside of your health institution. 

The Best HIPAA Compliant Email Solution

Not only StealthMail ensures comprehensive security to personal health information by advanced encryption algorithms, but also gives you full control over the encryption keys in a bundle with a granular setting of access rights for all employees:

• HIPAA compliant emails: ePHI is protected in transfer, at rest and in use;
• Exclusive control of encryption keys;
• Control access to content.
• Seamless integration with Microsoft Outlook (installed as Add-In);
• Sensitive data never leaves the organization's secure perimeter. Instead, Stealth Link is sent.
• Cryptanalysis-proof encryption algorithms;
• End-to-end encryption (as only that guarantees you’re using a HIPAA email compliant solution).
• The possibility to impose restrictions on replying, forwarding, copying, screen recording email content and attachments.

Meeting the HIPAA requirements and staying compliant is an easy task when done with StealthMail.For more information about solution performance, visit StealthMail.com, download the Technical Datasheet, or Try Free Trial of StealthMail.