HIPAA email compliance: the how to guide

So, what is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a major piece of data privacy legislation that aims to secure (electronic) Protected Healthcare Information (PHI and ePHI) from fraud and data breaches. First instigated in 1996, it is a standard that all organizations that deal with PHI and ePHI must comply with.

Whether you’re directly dealing with patient health insurance details, financial information, sensitive personally identifiable data, or you’re a contractor, partner or supplier to an organization that does, it’s vital that you understand HIPAA and what you need to do to comply. Essentially, all organizations required to be HIPAA compliant must have physical, network and process security measures in place. These must be kept up to date and be carefully followed by all employees.

An important aspect of HIPAA compliance is preventing data breaches to PHI/ePHI that your organization stores and shares. As data is most likely to be leaked in transit (for instance, through a misdirected email or a plaintext message), it’s absolutely vital that your organization safely secures your email communication system. Otherwise, you’re at serious risk of not being HIPAA compliant and putting patient data at risk.

How can my organization become HIPAA email compliant?

Since changes to HIPAA legislation in 2013, using email to share ePHI both internally and externally has become more complex. Essentially, the updated HIPAA legislation now requires a higher degree of security than it did previously. This level of security is likely to require your organization to update and modernize its security processes and technologies.

Requirements for HIPAA email compliance include:

  • Emails containing ePHI to be secured (encrypted) in transit if they are sent outside of a firewall-protected network
  • Limited, password-controlled access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI
  • Ensuring appropriate storage and retrieval procedures are in place

Securing emails in transit

It’s important to make sure that emails containing sensitive information are handled securely both within your organization and outside it. This includes communication with your patients/clients, external partners and other third parties.

Securing emails in transit in compliance with HIPAA may include email encryption technology such as TLS (Transport Layer Security) or S/MIME protection. However, it’s worth noting that, used in isolation these security measures are not enough to keep ePHI secure. As such, maintaining HIPAA email compliance requires a more complete security procedure.

Applying secure email encryption

Encrypting your emails essentially means scrambling their contents so they can only be decoded by the recipient you intended to send the message to. This way, even if your email is intercepted, its contents can’t be read by anybody else. This is particularly important if your email contains sensitive information such as ePHI. In fact, secure encryption is a mandatory requirement of HIPAA email compliance.

Limiting access to shared equipment and secure networks

Both in the office and when working remotely, it’s important to make sure you keep shared networks secure. Depending on the size and nature of your organization, it may be necessary to restrict access to sections of your network (or even individual folders and files) to certain employees.

If equipment issued at work, such as laptops or mobile devices, can also be used for personal communication or working remotely, it’s important to make sure that sufficient security measures are employed. This may include additional staff training or more thorough protocols to ensure HIPAA compliance.

Removal, transfer and disposal of PHI and ePHI

HIPAA regulations state that when disposing of PHI stored on physical media (for instance, paper records), it’s vital that any identifiable or confidential data is totally destroyed. This can be done through shredding, incineration or other secure methods of safe data disposal.

The same stringent measures should be applied to digitally stored data and ePHI. Simply deleting a sent email or requesting a recipient doesn’t open a misdirected message isn’t enough. Instead, it’s important to invest in securely encrypted storage, and software that prevents misdirected emails can properly recall sent messages.

Secure storage and retrieval of ePHI

Just like with safe disposal, compliance with HIPAA includes the secure storage and retrieval of ePHI. Whether you choose to store emails and secure communications on-site or in the cloud-hosted data center, it’s important that encryption and advanced DLP is applied.

If your organization undergoes an audit by the Office for Civil Rights (OCR), it’s very important to be able to display that you can efficiently and safely retrieve emails containing ePHI.

What security does HIPAA compliant email software include?

HIPAA compliant email software works to prevent data breaches and secure ePHI. Egress Intelligent Email Security provides everything your organization requires in order to be HIPAA compliant.

  • Secure encryption to protect data from interception
  • Contextual machine learning and advanced DLP to prevent human-activated data breaches like misdirected emails
  • Ability to recall (retrieve) sent messages
  • Encryption in transit and at rest within the mailbox
  • Real-time analysis allowing your organization to stay on top of changing compliance laws

Stop email data leaks: Egress Prevent

Ensure HIPAA compliance procedures are met with Egress Prevent, our security software that uses contextual machine learning and advanced DLP technology to stop human-activated data breaches, including misdirected emails. With an unobtrusive user interface designed to encourage secure behavior, Egress Prevent helps stop misdirected emails and both accidental and intentional data breaches before they happen.

Secure encryption: Egress Protect

Egress Protect offers your organization’s employees simple, easy-to-use encryption that integrates directly into Outlook and Outlook Web Access. Encrypted emails and their attachments are impossible to be decoded by unintended recipients, removing the risk of an ePHI data breach in-transit.

Additionally, Egress Protect also offers email recall and access revocation. This means that emails and attachments accidentally sent to the wrong recipient can be controlled remotely, preventing viewing from users without appropriate access rights.

With secure encryption being directly recommended by the OCR, it’s vital that it is implemented by your organization in order to be compliant with HIPAA regulation.

Ensure constant HIPAA compliance: Egress Investigate

Egress Investigate is our eDiscovery software solution. It delivers time-saving reporting and analytics across your whole email network, enabling your organization to effectively measure risk, prevent security breaches and comply with HIPAA regulations – including those governing the secure storage and retrieval of ePHI.

What are the consequences my organization faces for not being HIPAA compliant?

The consequences of not being HIPAA compliant could be very severe for any organization that suffers a data breach or undergoes an audit by the OCR. While the most obvious risk is a fine, your organization could also suffer a serious loss in patient trust, professional reputation or even criminal charges.

Currently, the OCR is taking a slightly more lenient approach to HIPAA compliance breaches owing to the COVID-19 pandemic. However, this is a temporary reprieve and there is still a lot at risk for any organization handling PHI and ePHI.

In terms of financial punishments, penalties for not being HIPAA compliant are issued by the OCR and the Department of Health. These bodies carefully consider the nature of the violation and can issue a fine based on a four-tiered system. The most serious breaches may be punished by up to a $1.5m total fine per year.

Potentially more serious than a one-time financial punishment is the loss in patient trust and professional reputation your organization could suffer following a data breach. The national and international press treat PHI and ePHI security very seriously, meaning you’re likely to face negative news stories and a difficult exercise in public relations. Rebuilding a brand after a breach can take a long time and prove very expensive. Where clients can easily transfer their relationships to other providers, you also face the ongoing financial repercussion of customer churn.

Most concerning of all is the potential for legal proceedings. Though this may only affect the most serious of breaches, it is still definitely something to be wary of. Again, this is likely to attract negative press attention and may even require your organization to cease operations.

Taking all this into account, it’s vital that your organization treats HIPAA email compliance as an absolute necessity. Being a complex, constantly-evolving standard can mean it’s hard to stay on top of HIPAA compliance – which is why a solution such as Egress Intelligent Email Security is so valuable, ensuring compliance and preventing data breaches across your network, every day.

Related articles