If you are a member of a healthcare organization, it is extremely important that you comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA has been in place since 1996, and it is regulated by the U.S. Department of Health and Human Services (HHS).
You probably already knew that, but do you know if your organization’s emails comply with the HIPAA Security Rule? As a HIPAA-covered entity that handles and transmits patients’ Protected Health Information (PHI), you must ensure it’s protected. If your email transmission security does not meet HIPAA email compliance standards, you can be fined. Here’s what you need to know to keep your emails HIPAA compliant.
How Email Compliance Relates to HIPAA Rules
These are two major HIPAA rules you should understand before you determine how compliant your emails are:
HIPAA Security Rule
The Security Rule outlines the safeguards that covered entities and business associates must put in place to protect individuals’ electronic Protected Health Information (ePHI). Entities covered by this rule must use access controls, integrity controls, and audit controls, along with transmission security and ID authentication, to protect individuals’ ePHI. The covered entity must use technical safeguards to protect ePHI as it’s sent through electronic media and networks; physical safeguards that limit facility access that could expose ePHI; and administrative safeguards that keep all your organization’s employees compliant with HIPAA’s rules and security standards.
HIPAA Breach Notification Rule
This rule governs what happens after a breach, which is an inappropriate and impermissible disclosure of PHI. When a breach occurs, the individual whose PHI was compromised must be contacted in writing, including email if the individual agrees to that format. This must be done no fewer than 60 days after the breach occurs.
There are additional HIPAA rules, including the HIPAA privacy rule, which governs the permitted uses and disclosures of PHI and ePHI; and the HIPAA enforcement rule, which governs how HIPAA compliance is enforced.
What Are HIPAA’s Email Requirements?
HIPAA requires that covered entities’ email services and computer networks are optimized to meet the following requirements:
- They must restrict access to ePHI and monitor how it’s communicated.
- They must ensure the integrity of PHI at rest (before or after it’s been sent) as well as 100% message accountability.
- They must protect ePHI from breaches and unauthorized access during transmission.
To meet these requirements, you may have to implement multiple complex solutions. For instance, you should put a continuous monitoring system in place to make sure the emails maintain HIPAA compliance. You should also encrypt emails that contain ePHI, but be aware that encryption alone does not meet all of HIPAA’s email compliance requirements.
Before you put these security measures in place, you should run a risk analysis and devise a risk management plan that will ensure your email service becomes and remains HIPAA compliant.
Helping Your Organization Stay Compliant
At Reverus, we will work with you to make sure that emails sent from your organizations’ business email addresses become and stay HIPAA compliant. If you are interested in these services or if you have questions about them, contact us today.