With medical and healthcare-related data breaches at an all-time high, organizations are well-advised to prioritize their security efforts to minimize the risk of data theft and exposure. Of course, protecting patients' privacy and well-being should always be the primary objective. However, strong security controls also clearly impact the bottom line, as the average cost per healthcare breach is now a staggering $9.42 million (also an all-time high).
These costs may include penalties related to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—a prescriptive set of guidelines and requirements created to protect patient data and privacy. This article outlines HIPAA's relationship to email — one of the most common cyber-attack vectors — and discusses the requirements for creating HIPAA-compliant emails.
What is HIPAA?
The US Congress enacted HIPAA in 1996 to establish a standard for protecting sensitive patient medical and healthcare-related data. This data, referred to as protected health information (PHI), consists of anything used to identify a client or patient (e.g., names, addresses, phone numbers, social security numbers, biometrics, and more).
Managed and enforced by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), HIPAA requires any organization handling sensitive patient and medical data to follow a set of specific measures for ensuring their protection and security.
Why is it needed?
HIPAA receives credit for helping to modernize healthcare data workflows and how they receive protection from fraud and theft. Interestingly, its creation predates the rise of the internet and cloud computing.
HIPAA is more relevant and crucial than ever — before the pandemic, medical and healthcare-related data breaches were already on the rise year-over-year. COVID-19 exacerbated this alarming trend by triggering the massive shift from office to home offices and "bring your own device" (BYOD) scenarios. HIPAA serves the ongoing, crucial role of aligning the commercial interest of medical/healthcare organizations with the privacy needs of clients and patients.
Who does it impact?
Per HIPAA, all organizations handling PHI must implement appropriate data security controls and privacy measures. Specifically, HIPAA compliance requirements apply to the following parties:
- Covered entities: HIPAA defines a covered entity as organizations generating, collecting, or transmitting PHI as part of medical and healthcare treatment, billing/payment, and operations processes. Common examples include health care and insurance providers.
- Business associates: HIPAA's definition for a business associate is any organization handling PHI as part of a function it's contracted to perform on behalf of a covered entity. This category is quite broad, covering billing companies, practice management consultants, attorneys, accountants, IT and software providers, cloud service providers — even shredding companies and janitorial services.
- Third-party entities: this category is a catch-all group, including agents, subcontractors, and related business associates that may encounter PHI.
HIPAA mandates that emails used in medical and healthcare settings must conform to standards that ensure client or patient security and privacy. That is, they must enforce the protection of electronic PHI. Though not exhaustive, the following list describes examples of crucial measures organizations can follow to meet HIPAA compliance requirements.
Implement end-to-end email encryption
Achieving HIPAA compliance means emails must have end-to-end encryption to secure messages in transit and at rest (e.g., stored messages). However, satisfying this requirement alone doesn't make the email HIPAA compliant. Fortunately, many third-party offerings cover this requirement.
Develop email use policies and guidelines for staff
Employees who regularly encounter electronic PHI should undergo proper training on securely using email in a healthcare setting. However, healthcare is a busy, stressful environment and employees are only human. Mistakes over email can and will happen. Cybersecurity training has its place, but intelligent data loss prevention tools are needed as a vital safety net to protect both organizations and employees.
Retain all emails
Covered entities should maintain a readily-accessible archive and backup of emails if a patient or client demands information on PHI disclosures. HIPAA requires covered entities to retain both security/privacy-related emails and documentation related to compliance efforts for six years.
Consult the professionals
Organizations should consult the appropriate legal professionals to help understand and draft documentation related to HIPAA compliance efforts when in doubt. An attorney with knowledge of both federal and state laws regarding electronic PHI and privacy can provide expert guidance on how to best comply with both HIPAA and local legislation.
Solutions for creating HIPAA compliant emails
Data security, privacy, and HIPAA compliance can make email implementation efforts a complicated affair for IT staff, regardless of whether email services are cloud-based or delivered via on-premises email servers. Specialized HIPAA compliant email and data encryption software can significantly reduce the management complexity and staff time-to-productivity associated with achieving and maintaining a HIPAA compliant posture.
In short, practical measures to protect PHI should be at the heart of every medical and healthcare organizations' data management program, as both a matter of proper data ethics and compliance. Unfortunately, compliance requirements, like the deployment of secure encrypted emails, pose a challenge for many medical and healthcare organizations. In these scenarios, solutions such as Egress Protect can provide built-in HIPAA compliance.
Are secure emails HIPAA compliant?
HIPAA compliance includes implementing the required security controls (e.g., encryption). It encompasses how an email with PHI should be handled carefully throughout its lifecycle, from sending/receiving to storage and archival.
Is Gmail encryption HIPAA compliant?
Gmail is a free email service intended for personal use and isn't considered HIPAA compliant. Google customers may instead opt for G Suite's subscription-based email service — an offering that includes the HIPAA-required business associate agreement (BAA). Neither the Gmail nor G Suite business email service offers end-to-end encryption, as HIPAA requires. Therefore, users need to rely on a third-party service to encrypt emails with PHI while they're in transit.
Which email service is HIPAA compliant?
Any email provider offering a paid-for service with a BAA (e.g., G Suite for Business email, Outlook as part of Enterprise Office 365) can be HIPAA compliant. However, other critical prerequisites such as end-to-end encryption are also necessary to round out the organization's compliance posture. Again, this option is only available through a specialized third-party service provider.