HIPAA Email Compliance

Updated: September 18, 2018 - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, established national standards for the protection of certain health information. The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, established a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy Rule, while the Centers for Medicare & Medicaid (CMS) has responsibility for enforcing the Security Rule, both perform voluntary compliance activities and can impose civil money penalties.

The Security Rule does not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications.

The standard for transmission security (§ 164.312(e)) has been updated to enforce the use of encryption. This means that each covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for electronic PHI to be sent over an electronic open network (such as the internet) as long as it is adequately protected.

In 2010, the HITECH Act (Health Information Technology for Economic and Clinical Health) went into effect, amending the HIPAA Privacy and Security Rules. One of the most notable changes is in the penalties for a breach of patient information as a violation of patients’ rights under HIPAA. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, the maximum penalty is $1.5 million.

In 2013, HHS and OCR announced a final rule that implements a number of provisions of the HITECH Act called the Omnibus Rule, to strengthen the privacy and security protections for health information established under HIPAA. The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved. The State Attorney General in all states now have the power to audit and penalize covered entities in their home state. For more information on HIPAA enforcement, penalties associated with breaches, and non-compliance, click here.

EnGuard HIPAA Email Compliance

Enterprise Guardian, an American Company based out of Southern California, is a Hosted HIPAA Compliant Email Service Provider for health care providers, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, hospitals, and billing services.

We are HIPAA, HITECH, and OMNIBUS Compliant!

99% of covered entities make the huge mistake of thinking they can become HIPAA Compliant by simply deploying an email encryption solution. What they fail to understand is there is a lot more to HIPAA Email Compliance than just using encryption.

Our team of Certified HIPAA Security Experts has engineered our email service from the ground up to comply with the standards of the HIPAA Privacy and Security Rule. We have gone through training and certification, and have identified 6 areas a covered entity must correctly address in order for their email communications to be fully HIPAA Compliant:

  1. Access Control. Enterprise Guardian has implemented technical policies and physical procedures that restrict anyone from accessing stored email messages and electronic protected health information (e-PHI) on all of our servers. We own and operate our Private Cloud at a state-of-the-art datacenter in Irvine, California with video surveillance and round-the-clock security personnel. In order to gain physical access to our servers, a person must surrender their photo ID, have a keycard, and pass through mantraps - a biometric verification.
  2. Privacy Control. Enterprise Guardian ensures your data is private and secure. We do not outsource our customer service or technical support overseas; you will always be helped by a highly-trained staff member here in Southern California. All of our employees are college educated, and they must pass an extensive national, federal, and county criminal background check. Our employees are screened to be certain that they have never been convicted sex offenders or placed on a terrorist watch list, and they must also pass a rigorous drug screening. Our systems cannot be accessed off-site. Rest assured - your data is in good hands.
  3. Audit Controls. Enterprise Guardian has implemented hardware, software, and procedural mechanisms to record and examine access and other activity in our information systems. We keep a log of all email activity including user ID, date, time, sender, recipient, type of encryption, and more for a minimum of 6 years. This data can be examined by the Department of Health and Human Services anytime during an audit. In an effort to protect our customers from unauthorized access, we also monitor and record all failed login attempts, hacking activity, and password resets.
  4. Integrity Controls. Enterprise Guardian has implemented policies and procedures to ensure that e-PHI is not improperly altered or destroyed. All outgoing emails are digitally signed to ensure their integrity and authenticity, and each message passes through our Data Loss Prevention (DLP) system. We run our own DNS infrastructure with DNSSEC and DDOS to protect all incoming emails from man-in-the-middle attacks. To protect your data, we only use the best Enterprise Solid State All-Flash data storage systems.
  5. Transmission Security. Enterprise Guardian has implemented technical security measures that guard against unauthorized access to e-PHI as it is transmitted over the internet. We use the strongest encryption available with Transport Layer Security (TLS1.2 and 256-bit AES Encryption. We also provide advanced features such as the ability to send secure attachments up to 2GB in size with Secure File Link, and password protected encrypted messages via our Secure Messaging System.
  6. Business Associate. Enterprise Guardian is considered a Business Associate and provides every customer with a signed Business Associate Agreement (BAA) outlining the permitted and required uses of protected health information by us. In a nutshell, we do not access your data outside of support purposes, period. This ensures that the privacy and security of your email is completely protected and confidential. During an audit, a signed Business Associate Agreement from us will satisfy the Department of Health and Human Services.

HIPAA Email Archiving

Though HIPAA puts forth some standards for sending PHI via emails, it doesn't stipulate specific regulations regarding email archiving. It does recommend archiving email in a safe and comprehensive manner since the archiving of emails (carrying PHI) contributes to making electronic patient health information (e-PHI) more secure.

Our Advanced Real Time Backup System allows easy backup and retrieval of emails beyond the mandated preservation period of e-PHI for six years. We will archive your data indefinitely for as long as you are a customer.

Why should you archive emails?

Your Personal Email Is Not Secure

Switch to HIPAA Compliant Email Today