The Health Insurance Portability and Accountability Act, more often known as HIPAA, lays out a number of requirements detailing how organizations can be allowed to transfer some types of information and this has led to many questioning how the HIPAA rules relate to emailing.
Probably the most relevant information pertaining to the applicability of HIPAA rules to emailing can be found in the HIPAA Security Rule. This part of HIPAA considers the elements which must be in place which would allow the use of emailing to be acceptable and compliant under HIPAA. It should be noted at this point that HIPAA does not prohibit the use of emailing, but only allows in once the correct conditions are being met.
In order for emailing to be used to transfer Protected Health Information (PHI), the organization that wishes to use an email system must introduce appropriate mechanisms to govern and control the access to PHI; to track access and unsuccessful access attempts to data; to record changes, alterations, or deletions of data; to verify user authorization; and to ensure that security of ant data transfers. These steps must be taken in order to:
- Prohibit unauthorized personnel, individuals, or parties from accessing PHI while it is stored
- Prohibit unauthorized personnel, individuals, or parties from accessing PHI while it is being transferred
- Track the methods, formats, and other elements relating to how PHI is being shared
- Maintain the integrity of PHI while it is being stored both before and after transfers
- Protect against unauthorized alterations or erasure of data
- Allow for all messages to be traced from sender to recipient
Some security measures, while useful, are not sufficient to meet all of these requirements. The use of encryption, for example, may protect data but does nothing to allow for messages to be tracked and access or attempted access to data to be logged and reviewed. The necessary measures to ensure that this type of information is recorded and audited can be difficult to introduce and maintain, and may require a relatively robust or complex IT infrastructure.
When we talk about emailing in this article, we are not referring to cases where organizations may have their own internal electronic messaging system that is protected by appropriate access controls and firewalls; what we are concerned with is email in the more broad sense of electronic messages being sent from one entity to another entity or an individual external to the system via the internet.
Once PHI is being shared or transferred outside of a protected environment, it must be equipped with certain safeguards. As the use of encryption is an “addressable” implementation specification, meaning it or another security measure could be used interchangeably so long as the level of risk of PHI being compromised is significantly mitigated, organizations may choose or opt for another approach. Any data should be rendered unreadable, undecipherable and unusable in the case of it being intercepted or accessed by an unauthorized person or group.
In conclusion, HIPAA does not prohibit the use of email, but it must be carried out in a way which ensures the appropriate levels of security of PHI in terms of access, integrity, and traceability.