HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Encryption Software

Email is a convenient business communicating solution that allows rapid exchange of information, but email is not a secure method of communication, which is why many businesses use email encryption software. By default, emails are sent as plaintext messages, which means they can be intercepted in transit and any information contained in emails could be read by unauthorized individuals or stolen. It is also possible for emails to be intercepted and tampered with, without the sender or recipient being aware.

Emails are created on the sender’s workstation, they pass through the sender’s mail server, traverse the Internet, arrive at the recipient’s mail server, and are then accessed on the recipient’s workstation. Copies of messages are retained at each machine in that journey, so even if emails are not intercepted in transit, they could still potentially be accessed by unauthorized individuals.

While many emails do not contain any sensitive information, healthcare emails often do. Healthcare emails may include the personal data of employees, financial information, bank account details, financial reports, insurance claims, billing information, and the protected health information of patients and health plan members.

Cyberattacks on healthcare organizations are extremely common and hackers are well aware that healthcare email accounts contain a treasure trove of valuable information. 91% of healthcare organizations have had at least one data breach involving the loss or theft of patient data, and email breaches are second only to hacks of network servers. Further, the increase in remote working due to the pandemic has increased the risk of emails being intercepted, as home networks and public Wi-Fi networks often lack appropriate security measures to protect against the exposure of email data.

Failure to Encrypt Emails Risks Compliance Penalties

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-regulated entities to implement encryption for electronic protected health information or implement an alternative measure that provides an equivalent level of protection. Internal emails will be protected by a firewall and access controls are set up on email accounts to prevent unauthorized access by employees, so encryption is not required for internal emails.

According to the Department of Health and Human Services, “The [HIPAA] Security Rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.” That means that when emails containing ePHI are sent beyond the protection of the firewall, email encryption software should be used.

While email encryption is generally required when ePHI needs to be sent externally, it is permissible to send unencrypted emails to patients, provided they are advised that email is not a secure method of communication and there is a risk that information in emails could be intercepted. If the patient still prefers to receive information by email after informed of the risk, a covered entity is not responsible for any interception of ePHI that occurs.

Generally, in healthcare, the sending of ePHI via email is not recommended as there are more secure methods of communicating ePHI with other healthcare organizations, business associations, and patients and health plan members. That said, it is possible to make email secure and HIPAA-compliant.

Email Encryption Software for HIPAA Compliance

Email encryption software uses public-key cryptography and digital signature mechanisms to encrypt messages. With email encryption software, the content of messages, including email attachments, have the data scrambled to make the messages and attachments unreadable. Only the sender of an email and the intended recipient(s) will be able to decrypt the message and view the contents.

Software for encrypting emails either encrypts emails at the gateway prior to transit or they are encrypted from device to device, with the latter referred to as end-to-end encryption. In order to decrypt an encrypted email, the recipient is required to be a client of the mail service used to encrypt messages or they must support the type of encryption used. While this could potentially be an issue, commercial email encryption software sends encrypted emails to a secure portal if the encryption method is not supported. Notification emails are sent by the software to alert the intended recipient that they have a message and they can then authenticate with the portal to view their emails.

Email encryption software typically uses one of three methods of encryption: Pretty Good Privacy (PGP), Secure Multi-purpose Internet Mail Extension (S/MIME), or Transport Layer Security (TLS). PGP and S/MIME offer true end-to-end encryption, but TLS is acceptable and has the added advantage of not requiring users to take any action to decrypt messages, which is often preferred as it does not interfere with workflows. Most commercial encryption software integrates with common mail services, such as Microsoft Exchange, Office 365, and Google G-Suite.

Summary

If you send ePHI via email beyond the protection of the firewall you should use email encryption software to secure the messages, unless you have been authorized to use an unsecured email service by a patient after that individual has been made aware of the risks.

Email encryption software is also recommended for sending emails containing sensitive data not covered by HIPAA to prevent interception in transit. Prior to using software for encrypting emails, you should assess the solution provider’s security controls and obtain a business associate agreement.