Encryption Technology and HIPAA email

The Security Regulations do not state that email encryption is mandatory, but do specify that encryption is an “addressable specification” for controlling access to PHI. An “addressable specification” is a safeguard which is not required, but which must be considered, and implemented if it is a reasonable and appropriate safeguard. If a decision is made not to implement an addressable specification, the organization must “document why it would not be reasonable and appropriate to implement” and “implement an equivalent alternative measure if reasonable and appropriate.” Encryption is usually the most prudent method other than developing and deploying your own closed network environment.

Healthcare organizations and HIPAA

If you are a healthcare provider, health plan, or healthcare clearinghouse, you are a “Covered Entity”. Covered Entities need to comply with HIPAA regulations on privacy, security, and the conduct of claims transactions. If you are not a Covered Entity, but do business with a Covered Entity that involves transmission of PHI, you are probably a “Business Associate,” which means you must enter into a specific form of contract that holds you to the Covered Entity’s privacy protection obligations. If that is the case, you need to understand the regulations and develop a compliance plan that meets your particular company needs. Organizations like Safety Send are available to provide assistance to your HIPAA compliance team.

Email versus paper communication

Whether you communicate via paper or email, you are still bound by HIPAA’ s privacy and security regulations. Electronic communication is already the norm in most areas of business, including areas requiring high levels of privacy and security, such as financial services and the legal profession. Only you can decide if email is right for your business. When properly handled, using email can be the most convenient, fast and safe method of communication. Safety Send offers a variety of solutions for secure email suitable for any sized company.

Non-compliance penalties

HIPAA is the first federal law to impose criminal penalties for improper use or disclosure of PHI. Civil penalties are also available. To impose either civil or criminal penalties for a violation of HIPAA, there must be proof the party charged failed to comply with a requirement of the HIPAA legislation or one of the regulations. Criminal violations will be investigated and prosecuted by the United States Department of Justice and Federal Bureau of Investigation and can carry a fine up to 10 years in prison and $250,000 for violating the law with malice or for profit. HHS will investigate civil violations with penalties ranging up to $25,000 a year for any given type of violation. Since it is not yet clear how HIPAA will be enforced, it is best to fully document your company’s privacy policies and procedures and why these are the correct actions for your company. This documentation can serve as evidence that all reasonable steps were taken to ensure HIPAA compliance.

Receiving non-secure email massages

It depends on the situation. If you receive a sensitive message from a company or individual you do not have an established relationship with (e.g. a person inquiring about a health condition he has), you want to be careful what you do with it. You should protect it, but you shouldn’t face any penalties as a result of having received essentially an unsolicited email. If you have a regular relationship with another party that communicates PHI to your company, you need to ensure you have taken steps to manage it, or you may be taking a risk. Products that automatically encrypt all sensitive incoming and outgoing emails are good solutions for this type of situation.

Archived email messages

Archived messages do not fall under the same set of rules as transmitted communication, but it’s a good idea to protect them. There are tools available to pull information out of databases, and these tools can easily be used for hacking. Also, some states are beginning to enact laws that require database protection. Safety Send offers archiving services to companies interested in safely securing their stored messages.

Safety Send and HIPAA regulations

Safety Send provides a number of products and services that Covered Entities and Business Associates can use to protect PHI in email communications. These solutions meet HIPAA security requirements and include other features that support HIPAA compliance, including requirements for physical safeguards, technical security services and administrative procedures. While Safety Send is not a Covered Entity, we hold ourselves to a level of compliance with HIPAA requirements. Our “scaled” solutions are appropriate email-related safeguards for any size or type of Covered Entity. Covered Entities have a choice of solutions which they can integrate into their own compliance programs as they find appropriate.