HIPAA Email Encryption

| 6th Jan 2021

What is HIPAA Email Encryption

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to put in place national standards for electronic health transactions and related security. As electronic communication became more commonplace, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

HIPAA is about keeping medical data safe. The law defines Protected Health Information (PHI) as identifiable health information that can be used, stored or transmitted by HIPAA-covered entities or their associates in the provision of healthcare or payment for these services. These entities include healthcare providers, insurers and clearinghouses.

The Privacy Rule is included in this Federal law, and provides patients with rights over their health information, as well as setting rules and limits on who can look at this information. This rule applies to all forms of individuals' PHI, whether electronic, written, or spoken (oral).

Another relevant rule covered by the Federal law is the Security Rule, requiring security for PHI in electronic (e-) form. This includes addressable standards for data at rest and when sending data over email. Companies and organizations covered by HIPAA will typically want to communicate with patients’ family members or caregivers about treatment options or progression, gather information about mental health or prior treatment, or even talk to law enforcement in some extreme circumstances. The Security Rule sets standards for encryption that do not strictly demand encryption, but do mean that encryption cannot be ignored. Encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data at rest and data in transit. Emails containing PHI must be secured when sent outside the firewall of a protected network, which creates the need for HIPAA compliant email encryption.

HIPAA email encryption requirements

Since HIPAA was first passed in 1996, email has grown to become the dominant form of communication for businesses and people. Organizations need to share PHI outside of their firewall, and in doing so must ensure they are meeting exacting standards of security.

The Security Rule distinguishes between “required” and “addressable” specifications, with addressable specifications included to offer some flexibility to the organization when implementing security. This was a forward-thinking approach to regulation that acknowledged Moore’s Law and the ongoing advancement of technology, and preferred standards to rigid legislation. It allows the organization to decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework, but this decision must be documented in writing, including the reasoning behind the decision.

Because email encryption is an addressable standard, organizations are given the choice of whether or not to include it. But the risks associated with email are too high to justify any decision not to prioritize HIPAA-compliant email encryption. PHI data is valuable to attackers, and bad actors can target email communication in several different ways. Some can intercept unencrypted email using man-in-the-middle attacks, stealing data in a way that is difficult to detect. There is also the issue of human error, where mistakes by employees can cause them to accidentally expose PHI over email by something as simple as misspelling an email address.

Many HIPAA-covered organizations will use cloud-based servers such as Outlook on Microsoft 365 or Google Mail. Among other benefits, cloud-hosted email allows them to scale easily, reduces maintenance and downtime, and simplifies the process of creating backups. There are, however, security gaps and risks that need to be addressed within cloud-hosted email platforms for organizations to remain HIPAA compliant. Platforms like Microsoft 365 and Google Mail can offer some encryption standards, but typically these are one-size-fits all and difficult for administrators to customize. Neither platform can mitigate human error on email, for example misdirected emails, or provide an easy way to revoke access to (recall) emails shared in error.

Transport Layer Security (TLS) provides encryption for emails in transit, which protects against man-in-the-middle attacks, electronic eavesdropping, and interception while data is being shared over the internet and therefore helping organizations remain HIPAA compliant. TLS, however, can only work if both email servers are configured properly, and therefore is commonly used by organizations that regularly communicate with each other. It isn’t suitable for communication with individuals and, often, smaller organizations. TLS doesn’t provide encryption for data at rest within recipient’s mailboxes, which is required by HIPAA. Consequently, the sender has to trust the recipient has the correct technical controls and security measures in place to protect PHI stored within recipient mailboxes.

Message-level email encryption offers more secure protection against email security risks, which in turn makes it more suitable for protecting PHI. Message-level email encryption can be used to protect data in transit and at rest in a recipient’s mailbox, providing greater assurance for the protection of PHI and HIPAA compliance. It can also be used to enforce controls over shared data by the sender, for example preventing emails and attachments from being printed or forwarded to someone else without the original sender’s permission. As message-level email encryption protects each individual email sent, not just the transport layer, it can also be used to revoke access to (recall) emails, even after they have been sent. This method for email encryption can consequently provide better assurances to organizations that PHI shared by email is being handled in a HIPAA-compliant manner. Organizations that are governed by HIPAA and use email to contact patients and their families should consider end-to-end encryption for all communications, rather than instituting separate methods of email security at scale.

Office 365 HIPAA email encryption

In recent years Microsoft announced Office Message Encryption (OME) for its cloud email service, making it easier for users to communicate safely. This was a considerable step towards improving cybersecurity at scale, and a positive development. When it comes to the higher standards of security required by HIPAA, however, organizations require a solution that is easier to use for both senders and recipients, and administrators – and consequently assures that all PHI is protected.

Guaranteeing HIPAA compliance with OME requires that the sender’s IT team obtains a signed Business Associate Agreement (BAA) with Microsoft, and sets up access controls, data backups, single sign-ons and two-factor authentication, as well as maintaining audit logs. It requires a significant upfront investment as well as constant upkeep and training. All email data loss prevention (DLP) rules require administrative configuration, and it’s difficult and sometimes impossible for senders to carry out certain actions, such as revoking sent items. In practice this tends to negate the benefits of cloud email around scalability, ease of use and reduction in maintenance on the part of the user’s IT team. Additionally, OME is known for creating friction with its senders and recipients.

One alternative is Egress Protect, which we built to be highly scalable and usable, as well as provide compliance with regulations like HIPAA. Protect can be implemented across your entire organization quickly and effectively, with a plug-in for Microsoft Outlook that makes it easy for senders to encrypt emails. The solution also offers gateway encryption based on policy libraries, to mitigate human error. Emails can be accessed and encrypted on all mobile devices. Recipients are given free access to the service, and can download our Outlook plug-in and mobile apps free of charge to make their experience easier. We also use machine learning to further reduce recipient friction as part of our Smart Authentication.

The features included in Egress Protect more than meet the requirements of HIPAA compliant email encryption. The end-to-end encryption offered by the product is a much higher standard than common methods of email encryption such as TLS, and features such as encrypted data at rest go the extra mile towards satisfying HIPAA’s stringent security standards. Every email provides a detailed audit log for improved security, which can be accessed by both sender and administrators, and facilitates real-time email recall by senders and administrators, as well as the ability to prevent actions such as email forwarding and printing.

Why is HIPAA important?

The growth in cybercrime in recent years and privacy concerns about sensitive information has shown that HIPAA was an insightful and necessary piece of legislation, which set positive standards when passed more than two decades ago. It has held up well since then and has done an admirable job of protecting patients’ welfare and wellbeing. By standardizing these requirements across the healthcare industry, it has enforced a benchmark for best practice that is consumer friendly and makes healthcare among the most secure industries in the US.

PHI is highly sensitive and valuable data. Its loss can cause significant repercussions for the data subjects, including mental anguish and fraud, which is further compounded by the personal and financial details that are often shared in association with PHI. HIPAA is therefore highly important as a mechanism to protect data subjects from breaches of their information. As well as inadvertent data loss by employees, PHI makes healthcare organizations a regular target for cybercriminals.

Implementing HIPAA-compliant email encryption is therefore best practice even aside from the regulatory requirement. Some organizations complying with HIPAA may also need to comply with data regulation such as the California Consumer Privacy Act or the EU’s General Data Protection Regulation. Ensuring compliance to the high standards required by HIPAA goes a long way towards reaching best practice in data security and privacy, which helps compliance more broadly. Data regulation is gradually becoming stricter across the globe, so ensuring HIPAA compliance positions organizations well for any further tightening of privacy and security law domestically and internationally.

Most common HIPAA violations

We can see that HIPAA has been a feature of health data security for decades now, and it is worth examining where breaches are occurring and how patients’ data is being put at risk. One surprising factor is that even though widespread email use is as common as HIPAA, email causes by far the highest number of regulatory breaches. In 2019 some 39% of HIPAA breaches came from email, and this number has remained steady with 37% of 2020 breaches from email.

A quick glance at the list of active HIPAA cases shows that electronic records represent the main source of vulnerability. This is also backed up by looking through the archive of cases. But the risk for violations is not entirely confined to email, as insecure network servers also represents a major source of breaches by accidentally exposing information in some cases or being vulnerable to hackers in others. Losing unencrypted hard drives and portable devices is an issue, as is misplacing paper-based records and folders. Finally, best practice regarding disposal of electronic devices and paper records remains important to HIPAA compliance. Just because security best practice hasn’t changed in several decades, does not mean compliance has become standard.

While compliance and best practice can be wide-ranging, it is also important to be strategic and consider the largest sources of risk. Electronic records represent the most valuable target for hackers and this is an area all healthcare providers need to account for. Data security is a core function for healthcare providers that needs to be put at the center of the company strategy, and email remains the most important vector to secure.

What happens if I violate the HIPAA conditions

Despite HIPAA being an established regulation that healthcare providers are highly familiar with, compliance violations have been increasing in recent years. It is also interesting to note that electronic breaches are increasing as a share of total breaches. This can be attributed to electronic communications becoming even more ubiquitous and hackers recognizing the monetary value of PHI as a target, as well as the technical challenges that companies face to ensure compliance across all processes and communications.

Penalties for violation of HIPAA fall into four tiers, based on the organization’s level of perceived neglect at the time of the violation. Where the organization “did not know and could not have known” of a breach it falls under the first tier, which leads to a fine of $100-$50,000 per incident up to a maximum of $25,000 in any calendar year. Where the organization “knew, or by exercising reasonable diligence would have known” of the violation it falls under tier two and the associated fine ranges from $1,000-$50,000, with a maximum annual fine cap of $100,000. A tier three violation takes place when the organization is deemed to have acted “with willful neglect” but corrected the problem within a 30-day period, these can cost $10,000-$50,000 per incident up to $250,000 per year. The fourth tier covers organizations that acted with willful neglect and did not make a correction, costing $50,000 per incident for a total of up to $1.5 million.

As well as the fines associated with HIPAA, violations create legal liability, as patients may choose to take lawsuits against an organization for losing their data. If there are a large number of records lost then this can even lead to class action lawsuits, which can be drawn out and costly for the defendant. Breaches will also attract the attention of journalists and bloggers, which can significantly harm the reputation of the organization that breached HIPAA regulation. This in turn could lead to customers switching providers, and reduce the number of new customers signing on. All these negatively affect the organization’s bottom line.

Sending a HIPAA compliant email with Egress

Egress Protect can be used via its Outlook plug-in and web reader, and on iOS and Android devices.

In the Outlook plug-in and web reader application, simply click to start a new email message. Compose your email message as normal, adding all recipients and any attachments that need including. Then, use the dropdown to select the level of encryption you want to apply to your email message. After that, simply hit “Send” to send your email encrypted and HIPAA-compliant to all recipients.

On a mobile device, you will need to download and open our iOS or Android app. Once you have done this, simply click the compose icon and write your email as you would normally, adding all recipients and any attachments you want to share. Depending on your organization’s encryption policy, you will be asked to select the level of encryption you want to apply to your email message. You can then hit “Send” to share the email and attachments in a HIPAA-compliant way.

Egress can also apply encryption at the email gateway based on organizational policies, for example, auto-encrypting emails that contain PHI. This reduces the risk to PHI further and can be utilized in tandem with our Outlook plug-in.