HIPAA Email Encryption Requirements

HIPAA doesn’t prohibit the transmission of Patient Health Information or PHI via emails. However, the HIPAA Security Rule does put forth some recommendations towards ensuring that e-PHI or electronic patient health information too meets the standards set for maintaining integrity of PHI. Among the various recommendations in this niche, Email Encryption is an important issue.

The benefit of using encrypted emails is rather simple to understand—it ensures that information (PHI) carried in emails cannot be intercepted by an unintended party. This includes the actual message contained in the email and any attachments.

Overview of How Encryption is Done

Encryption can be understood as a method of converting plain text into cipher-text, using a key. Thus, during its transmission via the internet, data cannot be interpreted by any unreliable entity. This cipher-text is converted back into plain text using similar keys by the email recipient. The keys used here are essentially complex sequences of algorithms, present within an email system providing encryption facilities.

The Security Rule of HIPAA addressed encryption as an ‘addressable specification’. This essentially means that it acknowledges the criticality of ensuring encryption for limiting access to PHI and stringent regulations in this regard are expected soon. Any form of data leakage due to the absence of encryption solutions is very likely to create a direct liability in the form of non-compliance of HIPAA mandates.

Understand Need for Encryption

HIPAA Security Rule does not regulate that internal e-mails on the wired network of a workplace should be encrypted. However, encryption is required when emails are communicated across open networks like the Internet and even wireless LAN networks. Presently, there are no standards regarding the minimum encryption strength. Thus, covered entities handling PHI should decipher the encryption requirements themselves.

The norms for encryption strength suggest that a 168-bit, i.e. 3DES encryption strength is sufficient but 128-bit is also commonly used—the eventual encryption platform can be customized to suit personal, workplace requirements. Thus, it makes sense for all entities handling PHI to upgrade their encryption status but in a cost-effective manner. Developing these methods on an individual basis put forth astronomical expenses in the form of an in-house team familiar with encryption technologies. A recommend way of solving this issue is seeking encryption solutions offered as a part of email software provided by external vendors.