Failing to understand the HIPAA email encryption requirements could easily result in the impermissible disclosure of protected health information (PHI) and that could land the organization with a significant HIPAA fine for noncompliance. A lack of understanding or unawareness of the HIPAA email encryption requirements will not prevent regulators from imposing financial penalties for impermissible PHI disclosures. All HIPAA-regulated entities are obliged to comply with all aspects of the HIPAA Rules and must ensure they understand exactly what compliance means. In this article, we provide a summary of the HIPAA email encryption requirements and explain when encryption for email is required.
Do I Need to Encrypt Emails for HIPAA Compliance?
The HIPAA Security Rule calls for safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Encryption is an addressable requirement, meaning there is a certain degree of flexibility offered over how ePHI is protected. Encryption is not mandatory, but it is mandatory to address the specification. If an alternative method of protecting ePHI is implemented, which provides an equivalent level of protection as encryption, it is perfectly acceptable to implement that measure in place of encryption, provided the decision why encryption has not been implemented is documented, and valid reasons are provided in your compliance documentation to support the decision.
Email is not a secure method of communication, at least not by default. You may need to provide a password to access emails, but even if robust authentication is set up by the sender and recipient, email is still not secure. That is because emails must travel from one mail server to another, and emails are, by default, sent in plain text. That means that if an email is intercepted in transit, any information in the message body and attached files can be read and even tampered with.
When emails are encrypted, if the email is intercepted in transit, the content of the message will be indecipherable. With end-to-end encryption, the recipient is also required to authenticate before the message can be read. If the authentication fails, the message will not be decrypted. The HIPAA email encryption requirements apply to emails sent over an open network. If emails are sent internally, and do not pass beyond the protection of a firewall, email encryption is not required. Email encryption is also not required for any communication, to any recipient, if the email does not contain any ePHI.
The Easy Way to Comply with the HIPAA Email Encryption Requirements
Setting up email encryption can be a challenge, especially for smaller organizations without an in-house IT department, but it need not be difficult. The easiest way to meet the HIPAA email encryption requirements is to use an email encryption solution from a cloud service provider such as TitanHQ.
EncryptTitan makes it easy for organizations to meet their compliance requirements and ensure all sensitive information is protected in transit. The cloud-based solution uses a form of TLS-based encryption to secure emails between mail servers and has the option of enforcing authentication to ensure that only the intended recipient can view messages. Encryption can be set up for all outbound email, and it is possible to set a keyword-based policy, where emails are automatically encrypted if certain keywords – such as protected health information – is detected. There is also an Outlook plugin that allows the sender to encrypt messages with a click of the mouse. In contrast to many email encryption solutions, EncryptTitan is agnostic of all email environments. The recipient does not need to have the software installed to view encrypted messages.
For more information on encrypting email, give the TitanHQ team a call. The solution is also available on a free 14-day trial to allow you to evaluate the solution in your own environment before deciding about a purchase.