What exactly does HIPAA require in regards to e-mail security?
HIPAA Weekly Advisor, September 5, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What exactly does HIPAA require in regards to e-mail security?
A: The HIPAA security rule standards don't even mention the word e-mail, but they imply that electronic communications containing PHI need to be secured. Basically, every standard in the security rule affects e-mail in one way or another.
Many of the addressable implementation specifications under each standard require a risk analysis to determine whether or not e-mails pose a security risk. If they do, then the implementation specification must be put into practice.
The security rule covers e-mails in transit and e-mails at rest on a local computer, e-mail server, or on a data backup. Virtually the entire security rule addresses some aspect of e-mail management and security.
To answer the popular question of whether or not e-mails have to be encrypted-well, it just depends.. The transmission security standard says the following:
"Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."
This standard contains two addressable implementation specifications, as follows:
1) Integrity controls: "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of."
2) Encryption: "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."
At the beginning of the security rule, HHS encourages encrypting e-mails, but I'm not crazy about that suggestion. Why? I think the risk to e-mails in transit is extremely low. That's not where the real threats and vulnerabilities exist. Instead, the true risks surround data at rest, such as e-mails that are sitting in the e-mail database. I'm not saying don't encrypt. Just make sure you assess your risks and consider the pros and cons of your choice. By the way, don't forget to assess your e-mail risks for both internal and external communications.
E-mail is a very critical application for most organizations. Unfortunately, it's also one of the most vulnerable to security threats. The bottom line is if you use e-mail for PHI communications, you've got to consider almost every aspect of the security rule.
Editor's note: Answered by Kevin Beaver, CISSP, founder and president of Atlanta-based information security consulting firm Principle Logic, LLC, and from the upcoming September 2003 issue of Healthcare Information Security.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched