HIPAA was updated in 2013 to accommodate developments in work practices and technology adoption in the healthcare industry. According to the US department of HHS, the HIPAA security rule does not prohibit the use of email for sending ePHI. But the thing to remember is covered entities is required to protect, secure and safeguard the unauthorized access to e-PHI of an individual. These requirements to protect the ePHI are ate set by HIPAA security rule and were updated by the Omnibus Final Rule.
There are many rules set by HIPAA that allow covered entities to send the PHI of person to send by email but this information should remain secure, safe and should not be tampered with in transit.
Many covered entities and business associates say that encryption is enough to ensure HIPAA compliance when sending PHI through email. Whereas some claims that encryption is not enough as it does not fulfill all HIPAA guidelines such as ID authentication. ID authentication is important to track the data and ensure accountability.
Generally there are three rules which should be followed while sending PHI though Email and these are as follow:-
- Encryption Requirements
- Secure Messaging Solutions
- Archiving Encrypted Emails
If an email that contains PHI is sent beyond the covered entities firewall, it must be protected with encryption. According to HIPAA, encryption is an “addressable” safeguard. Covered entities does not have to depend upon encryption as if they find some other alternate to safeguard the PHI that provide same level of protection then they can use that too.
Though, it is not always essential to use encryption to protect PHI. If the PHI is transferred internally and is protected by a firewall, the information is safeguarded against access by an outside third-party. But if the data goes outside the protection of a covered entities firewall then encryption is required.
Secure Messaging Solutions
As many health care workers use their own personal devices as part of their daily routine, it is required that secure messaging solutions must be used. Secure messaging solutions fulfill HIPAA requirements and support Bring Your Own Device (BYOD) policies. With secure messaging solution, only those authorized users can login that has access to the PHI. With secure messaging solution, all activities on platform are recorded and an audit trail is maintained. With the secure messaging solution, all messages are encrypted and the also the messages cannot be sent outside the organizations secure network.
Archiving Encrypted Emails
HHS requires organizations to save the records for at least 6 years. Archiving encrypted emails will store the PHI and also create an index of emails that offers easy access and allows the archive to be searched.