HIPAA INFORMATION AND EMAIL by Tod Ferran, CISSP, QSA
According to HHS, “the Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”
What does this mean to your entity? Email is the greatest invention since sliced bread, and there are ways to use it for secure communication of ePHI.
First what are the alternatives? If your Electronic Health/Medical Record system can provide a patient portal with document transfer capabilities, this is often a secure solution. For sending data to another covered entity or business associate, a secure file transfer server is also often a secure solution.
If these options are not available then an encrypted email system is the way to do it. Since secure email is one of the common topics we encounter, let’s present the life cycle of email as it goes between you and a recipient.
- The email leaves your workstation and goes to your email server
- The network packets that make up your email should be encrypted during this transmission to the server if the email contains sensitive information.
- Your email server often stores the message in its file store.
- The email record should be encrypted in storage.
- Your email server transmits the email to the recipient’s email server
- Again, this should be encrypted. This is often done using TLS, but both the sending and receiving servers must be using TLS to make this work.
- The recipient then retrieves the email from their server.
- While their email server should store email messages securely, and provide the email to the recipients securely, you will not have control over these protections.
At each of these steps, message may traverse untrusted networks like the Internet. It is a trivial matter for a malicious individual to ‘sniff’ or copy those messages as they cross these networks. If the email is not encrypted, it can be easily read.
It’s a lot like sending a postcard through the regular mail, anyone that sees it can read it and we have no way of knowing who may have seen it.
No wonder that HHS is concerned about email, in fact, Phoenix Cardiac Surgery paid a $100k penalty for using a cloud email and calendar service in their practice without appropriate security controls.
Since entities likely find it reasonable and appropriate to encrypt ePHI at rest and during transmission all the way to the recipient, the challenge then is how to ensure a message is encrypted at each step when we can’t control the recipient server or how the recipient accesses the message on their server. Often-times entities do not even have control over the sending server.
The HHS understands you have no control over which email clients your recipient may use.
“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” (US Department of Health and Human Services, Omnibus Final Rule, 2013)
So that gives us an out, right? Not really. When we advise the recipient that email is not secure, we need to have a secure method available to them. That is where a secure email service comes into play.
A secure email service works like this:
- The transmission from your computer is encrypted.
- The email on the server is encrypted
- The recipient receives a message to retrieve the encrypted message from the server with a link to click on.
- When the recipient pulls the message from the server, the transmission is encrypted.
This method keeps the information encrypted at each point and many of these service providers are fairly inexpensive. You may be thinking that your email server uses SSL or TLS, so it’s not a problem. Unfortunately that is not quite accurate. Even if you are using TLS v1.1 or later (SSL and TLS 1.0 are no longer considered secure) there is no way to ensure that the email server at the other end is configured properly or that the end recipient will retrieve the message from that server in a secure manner. Don’t despair, many of the secure email service providers are able to integrate into your email server and provide the end-to-end encryption required.
Here are just a few of the available secure email services:
Here are a few suggestions for creating a patient portal if your existing EMR/EHR does not provide the functionality:
Whichever service you decide to use, be sure the service is HIPAA compliant and provides encryption all the way to the recipients’ device.