May 13, 2021
In October of 2020, we published an article covering HIPAA compliance. In previous social media posts, we’ve also made passing mentions of how email is a potential source of compromised e-PHI. In fact, employee email accounts are one of the most common sources of vulnerability. In today’s article, we take a closer look at why that is, how one wrong click can have a devastating impact on your organization, and where strict HIPAA compliance plays a key role in keeping everyone involved safer.
HIPAA, Email and Butler County, Ohio
No matter how many advances in technology we as a society have made, email still remains the go-to method of communication across health care facilities and departments — both internal and external. Because it’s so common, HIPAA compliance needs to start there, and that means staying within the most recently updated regulations.
It was barely before COVID-19 first started making headlines in the U.S. when an employee of Butler County was suspended after emailing a spreadsheet containing personal information, affecting 1,350 additional employees. The spreadsheet included names, insurance identification numbers and information about the employee’s participation in the county Wellness Program.
It was determined there was no nefarious intent, and it seemed on the outside to be a minor infraction. Yet this leak affected so many people in a way that finally warranted suspension of said employee, several months after the fact.
HIPAA and Email Security
HIPAA email compliance starts with secure messaging. With secure messaging, facilities are able to send multiple forms of media in an encrypted form that protect both the sender and the recipient.
According to the updated HIPAA regulations, it is highly recommended that all data be encrypted both in transit and at rest. Health care facilities are required to guard against any unauthorized access to patient health information (PHI) over any channel.
This mandate, of course, includes email and is especially important because of how widely email is used. Without proper HIPAA email security, unencrypted data transmission leaves PHI vulnerable and open to potential compromise. Once installed, HIPAA email security allows all staff to safely communicate PHI to people both inside or outside the hospital or practice, and to both staff and patients.
According to HHS:
“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
If all that sounds confusing, this is the portion to keep in mind:
“The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
HIPAA stipulates that not only the sending of messages be encrypted, but all components of a facility’s mail exchange, as well. The security of routers, mail servers, sender inbox and even recipient inbox can start to be secured with the implementation of HIPAA email security.
Rimstorm’s unified approach provides a unique way to address the challenges of health care security and compliance. It helps IT teams with limited resources tackle the lack of security controls, manual monitoring process and lack of threat intelligence. Contact us to learn how we can help you protect your organization and the livelihood of your patients.