Announcement: HIPAA Email Compliance

Understanding HIPAA Email Compliance

HIPAA (Health Insurance Portability and Accountability Act of 1996) is the defining authority on how the healthcare industry handles patient-related information. This includes regulations regarding various messaging systems used for transmitting PHI (patient health information).

Please note that HIPPA doesn’t prohibit using email as a medium for sending electronic PHI records or e-PHI. However, it has ensured that the security of patient information via email-based communication is not compromised. Thus, the HIPPA Security Rule specifies standards for making transmission of PHI via emails secured. The Security Rule specifies some regulations in this regard. These include standards for:

• Access control (45 CFR § 164.312(a))
• Integrity (45 CFR § 164.312(c)(1))
• Transmission security (45 CFR § 164.312(e)(1))

All these standards underline the criticality of implementing HIPAA policies and following recommended procedures, aimed at maintaining the integrity of PHI by restricting unwarranted access to e-PHI. The standard for Transmission Security is elaborative and provides specifications regarding the encryption requirements and other integrity controls that should be maintained when sending PHI via emails.

A covered entity must ensure that email messages containing PHI are secured when being sent through unencrypted links too. All covered entities should assess the nature of their open communication networks and adopt suitable means to ensure the safety of e-PHI sent via emails. To ensure that their adherence to Security Rule’s recommendations can be substantiated, a covered entity should document the changes/measures it has adopted. Similarly, there are recommendations for email archiving for emails containing PHI.

Thus, covered entities handling PHI should consider adopting email-based security measures like content filtering, recipient authentication, use of message server softwares and anti-spam/anti-virus technologies to ensure that they are in compliance with HIPAA’s regulations. This has been further endorsed by CMS (Centers for Medicare and Medicaid Services) that recently indicated that it plans to provide further guidance in this regard.