HIPAA Compliance: Email Encryption Obligations

The HIPAA compliance email encryption requirements can be confusing. The Health Insurance Portability Act was introduced in 1996 at a time when patient information was physically recorded. As health information started to be recorded in digital form, new requirements had to be introduced – in the form of the HIPAA Security Rule – to ensure that electronic health information was appropriately protected. The HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information or ePHI, and one of the requirements to protect ePHI is encryption.

Encryption scrambles data to ensure it cannot be read. This involves the use of an algorithm to convert plaintext into indecipherable ciphertext. Once encrypted, data can only be decrypted if the correct cryptographic key is used to convert the data back to its original form, and those keys are only held by the email sender and intended recipient(s). HIPAA requires encryption to be implemented for all ePHI unless an alternative method of protecting the data is used that provides an equivalent level of protection. If the decision is made not to encrypt ePHI, the reasons why the decision was made not to encrypt must be documented to demonstrate that this aspect of HIPAA compliance has not simply been overlooked.

HIPAA Compliance and Email Encryption

The HIPAA compliance email encryption requirements only apply to ePHI. There are no restrictions placed on emails that do not contain any ePHI. To determine whether emails need to be conducted, HIPAA-covered entities should conduct a risk analysis to determine the potential risks to ePHI. Risks must then be subject to a risk management process and be reduced to a reasonable and acceptable level.

If emails are to be sent that contain ePHI, either in the message body or in email attachments, encryption is only required if alternative methods of protecting the information against unauthorized access are not in place. For instance, if an email is sent internally by a healthcare professional to another member of the care team and the email only travels internally, never passes beyond the protection of the firewall, and appropriate authentication controls have been put in place to ensure that only the intended recipient can view the message, those protections would be sufficient. In such cases, the HIPAA-covered entity should document the decision not to encrypt internal emails in their compliance documentation and list the measures that are in place that provide an equivalent level of protection as encryption.

If emails containing ePHI are sent externally or otherwise pass beyond the protection of the firewall, then encryption is required. That is because there is a risk that the emails could be intercepted and read by unauthorized individuals. For HIPAA compliance email encryption is a must if emails are sent over an open network.

How to Implement Email Encryption

The easiest way to implement email encryption for HIPAA compliance is to use a third-party email encryption solution from a cloud-based service provider such as TitanHQ, and to configure the solution to encrypt all emails sent externally. This will eliminate the potential for human error. This may, however, not be practical. An alternative is to use a plugin for your email client that allows employees to decide whether an email needs to be encrypted. The user will them be prompted whether to encrypt the message when they send it and can decide not to encrypt standard email communications that contain no ePHI and encrypt sensitive messages with a single mouse click. TitanHQ’s email encryption solution – EncryptTitan – also supports keyword-based encryption. All emails are scanned for the presence of keywords – ePHI for instance – and messages will be automatically encrypted if ePHI is identified.

EncryptTitan is easy to set up and use, so next to no staff training is required. The solution works with all major email programs and does not require the recipients of emails to also have the solution installed. EncryptTitan secures all emails in transit to protect against interception and tampering, and end-to-end encryption is offered, where users must authenticate to view messages, with controls able to be set to prevent copying, downloading, and printing of emails and attachments.

The EncryptTitan HIPAA compliance email encryption solution makes securing emails in transit simple and will help to prevent privacy violations via email and ensure HIPAA-covered entities meet their email encryption compliance obligations.