Enacted in 1996, the Health Insurance Portability and Accountability Act or HIPAA is gold standard for protecting sensitive patient data. And any business dealing with protected health information (PHI) must ensure that the required security measures are implemented and followed. This includes all the communications related to electronically protected health information (ePHI), which makes HIPAA compliance for emails an imperative.
Of course, this isn’t just a plain directive. HIPAA violations over the years have skyrocketed. The Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. reported an average of 59 data breaches each month in 2021 with healthcare data breaches itself numbering up to 712 between January 1 and December 31. The penalties have also been solid, with the OCR reportedly receiving $777, 150 as settlements in 2021.
For any healthcare organization dealing with ePHI, the ability to secure and track communications is crucial. But there is a lot of confusion when it comes to complying with HIPAA guidelines. Let’s dig deeper into the situations that demand HIPAA compliance.
Healthcare organizations share a lot of confidential medical information via emails in messages and as attachments. HIPAA mandates the protection of such ePHI both at rest and in transit. Here are a couple of situations where this is applicable.
These are only a couple of scenarios from a long list of HIPAA email compliance for healthcare organizations. A lot of organizations are using cloud-based servers these days to digitize their processes and sharing a lot of information, including ePHI over the cloud. While sharing information over the cloud is definitely much faster and simpler, steps must be taken to protect the confidential information.
If you must use an online email service, ensure you sign a Business Associate Agreement (BAA) with the provider. BAA is a written arrangement that specifies each party’s responsibilities when it comes to PHI. Two of the most popular email service providers - Microsoft and Google – have BAAs in place. However, the BAA typically only covers the servers; you as an organization would be responsible for protecting the rest of the email chain.
The obvious answer – email encryption. However, as technologies advance and threats get ever more sophisticated, encrypting email for privacy compliance is not getting simpler. Email or cyber security jargon like transport layer security (TLS) are thrown around like a catch phrase. But, “Not all TLS is created equal. Not all email one thinks is going by TLS, in fact is transmitted securely,” says Steve Anderson, an insurance technology expert. The devil is in the details.
Transport Layer Security (TLS) is a cryptographic protocol that provides end-to-end data encryption between applications over the Internet. It is mainly used when you communicate from your web browser to a web server. It’s simple for the browser to display “insecure” connections, pop-up warnings, or disable a page display.
But, with email, there are some typical challenges. For instance, when you log-in to Gmail via Chrome or any other browser, the connection from your device to the Google email server is generally secure. But what happens to the email after you hit the send button, when it leaves Google’s Gmail server onward to the recipient?
This is where “opportunistic encryption” may or may not be used by some email providers. In simple terms, it means the email provider tries to send the email first with a secure TLS email transmission (SMTP) if the “opportunity” presents itself. If the message can’t be sent securely, it reverts to less secure or insecure transmission, automatic, and invisibly.
The Gmail transparency report says 88 to 91% of inbound and outbound email to and from Gmail are sent using TLS. This means, typically, more than 10% is sent and received without any security. The scenario isn’t much different with Office 365 hosted emails. And, it gets worse. None of these transparency reports make any distinction between the many TLS connections, which may or may not be secure. Generally, there are versions with varying security; TLS 1.0, TLS 1.1, TLS 1.2, and now TLS 1.3, with TLS 1.0 typically accounting for 15% of transmissions.
If you need to take simple calculations into account, let’s consider an organization sending out 500 emails daily. Out of this, it’s quite possible that about 50 randomly-selected messages (and its attachments) would be transmitted without any encryption, while about 75 other randomly-selected messages will be sent with insecure TLS (like 1.0). This poses severe risks of falling out of compliance and being subject to litigation and fines.
This is a big problem when sharing sensitive information such as ePHI. It’s here where RMail, the award-wining email security solution from RPost, can help with its auto-fallback capability. Its technology is well positioned to satisfy HIPAA rules and technical safeguard provisions regarding the preservation and secure transmission of ePHI. RMail sends messages using its end-to-end encryption service, and doesn’t store ePHI on the company’s central server.
RMail helps healthcare and other organizations, which deal with ePHI, encrypt messages for HIPAA compliance for correspondence with patients, participants, HR departments, insurance companies, and third-party administrators.
RMail’s end-to-end encryption makes it easy to automate privacy for both physicians and patients, prove compliance with HIPAA rules, and other privacy regulations. Each RMail message returns the highest levels of court admissible, legally valid, timestamped email privacy compliance evidence in the form of a Registered Receipt™ authenticatable email record.
RMail uses double-layered encryption protocols to secure your ePHI:
The default encryption mode, which auto-decrypts the message without bothering or burdening either the sender or receiver. All the sender needs to do is compose an email, press the Send Registered button, and while checking the Encrypt box, select the Transmission Level radio button. If the recipient’s system doesn’t support the TLS encryption, RMail will automatically revert to an alternate secure transmission mode.
The alternative mode which senders can enable by default, or otherwise is switched on when the RMail server senses if there is either no TLS, or an insecure version of TLS is in place. RMail automatically reverts to AES 256-bit PDF encryption, the end-to-end encryption for secure delivery.
At this point, the sender can choose to create the password or leave empty for RMail to autogenerate one. A third option is available to allow recipients to set their own decryption passwords. If “Email password” is checked, your recipient will get a password in their email along with the end-to-end encrypted message. The email will contain a “Registered Email” and “Encrypted” marking in the subject and banner, so the email stands out in the recipient’s inbox.
The recipient can open the email and attachments right in their inbox, without having to enter any credentials, passwords, click links, or download any software. RMail also ensures the recipients can reply securely if needed for bidirectional encryption.
The Registered Email™ service from RMail ensures the messages remain protected during transit as well as at rest while in the recipient’s inbox. The Registered Encryption™ Receipt is the resulting evidentiary record returned to the sender for court-admissible proof of fact of end-to-end encryption. It includes an encrypted copy of a sender’s original message and all attachments as they were received by the recipient’s server. In case of any HIPAA dispute, anyone in possession of that receipt is able to verify the authenticity of the data it contains, instantly and on-demand. RPost’s cryptographic methods are used to determine if information in the receipt has been altered, employing hash algorithms and RSA/PKI signatures.
Email encryption is one of the strongest defenses that an organization can implement against data breaches brought on by the improper disclosure or distribution of medical records or ePHI. But without proper policies and procedures governing the use of encryption services, these efforts mean next to nothing in the eyes of HIPAA auditors who have been redoubling their efforts to investigate non-compliance across the health care industry.
RMail can be construed as the best example of an effective compliance solution that specifically addresses the privacy and integrity of ePHI, which is essential to your organization’s HIPAA email compliance. Using RMail, you can safely send documents while complying with the technical safeguard standards of HIPAA rules relating to the security of ePHI. RMail is also relevant for the great majority of U.S. jurisdictions in which UETA applies.
This is why companies like E-Billing Solutions, The Doctors Company , Philips, and countless others have been using RMail to comply with HIPAA.
RMail has been top rated for its security and auditable proof of compliance capabilities, besides offering the simplest user experience for the sender and recipient. Plus, it’s much more affordable at scale. Try it to send emails for free!