HIPAA / HITECH Compliance and Encrypted Email

General HIPAA HITECH Information

As we all know, HIPAA / HITECH compliance is a must in any medical profession, including optometry clinics. Violations of these rules range from thousands of dollars into the millions. This article is not to be considered legal guidance whatsoever, but serves only to provide limited technical guidance.
To fall under the requirements of HIPAA / HITECH a service provider must be a “Covered Entity” falling under one of the 3 following types:
  1. a health care provider that conducts certain transactions in electronic form (called here a “covered health care provider”),
  2. a health care clearinghouse
  3. a health plan
As an IT Consultant, I do not fall under any of those 3 categories. However, there are times when I am transmitting information for clearinghouses, remote software logins, etc. Because of these edge cases and since I make extensive use of Google Apps for Work, I have signed a Business Associate Agreement with Google, and I employ multi-factor email authentication as well as follow Google’s best practices for data management even though no PHI (patient health information) is stored by me or my company.
I do use Dropbox Pro for certain documents. However, there is zero PHI or ePHI that is stored in Dropbox. If I were to need Dropbox in the future for PHI or ePHI, then Dropbox does offer an Business Associate Agreement for their business service.
Now, all tech people know that HIPAA and HITECH put too much focus with PHI and the privacy rule and not enough on improving their security rule. The truth is that most of the rules and guidelines are really general from a true security standpoint.
  • Physical safeguards including limiting facility access and control, with authorized access in place such as password protected screens, must be in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
  • Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
    Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
  • Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. The typical retention period is 5-7 years, but varies by state and whether the PHI deals with children or adults. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact. The HIPAA Security Rule Toolkit from NIST can provide some guidance for this.
  • Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

hipaa hitrech employee training rule

Also, training of employees is a requirement of the HIPAA Security Rule. I would strongly suggest that written policies be created and put into place, including having employees sign off on your stated policies. Period retraining and revision of those policies is also encouraged.

Remember – even without a security breach, all it takes is one disgruntled employee to make a phone call and report violations. The fines are very high. It is much less expensive to put in policies and plans now.

What about email communications?

While there is NOT a specification in the HIPAA HITECH rules for encryption of data, it is certainly a very good idea to encrypt your email communications. Many businesses and health organizations do not realize that the vast majority of email is transmitted in plain text. Even if your email provided uses TLS (commonly called SSL) in transit, that only covers the transmission of the data to your email provider. From your provider to the recipient – well that is potentially the wild west.

Virtually nobody uses true end to end encryption. The primary reason for the lack of use is two-fold. First, most people do not realize that email is very insecure, and the vast majority of people have no idea what encryption means. Secondly, end to end encryption is just not very easy to implement even for technical people. There are typically several steps involved for both the sender and the recipient.

Google (though Gmail and Google Apps) was one of the first email providers to begin strongly encouraging the use of the TLS with email. While Yahoo and Microsoft (via Hotmail and Outlook.com) have followed suit, you have to remember:

Neither Gmail (non Google Apps) or Yahoo! nor Hotmail nor AOL or any of the other common providers are considered HIPAA / HITECH compliant.

If you are a health care provider and using Yahoo! or Hotmail or AOL for your email, you are taking a huge risk. You need to immediately implement an alternative email solution for your business such as Google Apps for Work with a Business Associate Agreement in place.

I strongly encourage the use the of end to end email encryption with gPGP solutions such as Mailvelope (requires several steps and not easy) or commercial solutions such as Virtru which will enter into a Business Service Agreement with the paid offering. I really like ProtonMail – but they currently have no Business Associate Agreement system in place.