Can HIPAA Information Be Emailed?
According to the CDC: “while the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called ‘electronic protected health information (e-PHI).”
In order to comply with the HIPAA Security Rule you must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance
But what does this mean for those working in the healthcare industry emailing HIPAA information? Let’s start with why email communications should be secure first:
Understanding how cybersecurity and email are connected begins with a breakdown of the path that an email follows. Email follows the following path:
- Created by sender on their workstation
- Sent from workstation to sender’s email server
- Sender’s email server sends email to recipient’s email server
- Recipient’s workstation pulls the message from their server
Every time the email is sent it could be at risk for malicious interference. In addition, a copy of the email is stored on each workstation it travels through. Breaking that down, that means there’s a copy on:
- The sender’s workstation
- The sender’s email server
- The recipient’s email server
- The recipient’s workstation 1
This path alone illustrates the risk a single email can pose – both in transit and at rest. So can emails be HIPAA compliant?
Emails can be HIPAA compliant, but requires IT resources and a monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.2
What IT resources and monitoring processes are available? Beyond our in-house security solution, we also recommend email encryption.
Encryption is a way to make data unreadable at rest and during transmission. CIT partners with Zix for email encryption and they partner with more than 1,200 U.S. hospitals to help maintain HIPAA compliance. As cyberattacks continue to grow exponentially, Zix provides you with efficient methods to optimize your IT security effectiveness while better securing PHI in and out of their organization.
So now that we’ve talked about the path of an email, HIPAA compliance, and our recommended solutions we want to make sure all types of emails are secure.
What different kinds of emails need to be secure?
In the healthcare industry, it is important to avoid security risks, meet compliance standards, and secure multiple types of emails. Cybersecurity and compliance solutions should include securing:
- In-office emails
- Doctor-to-doctor emails
- Personal emails
- Mass emails
- Reply emails
- Patient emails
Additional email security considerations
- Passwords and 2-factor authentication
- Email disclaimers