New HIPAA / HITECH regulations extend compliance requirements to Business Associates of HIPAA covered entities. As a hosting provider, ChicagoNetTech must not only protect our servers and the data contained therein, but must also work with our hosted clients to effect Compliance with their e-mail and any hosted data entrusted to us as part of our hosting agreement required to be hosted on, or accessible via, secured servers.
Netlou's SmarterMail e-mail hosting solution meets all of the requirements of the most recent updates to the HITECH portion of HIPAA. Our SSL / TLS secured e-mail interfaces, included with all hosted packages, at no additional cost, will ensure that your e-mail is encrypted from the time it is written to the point of delivery1. We can also provide searchable archives of all incoming and outgoing e-mail. Please read on to see why HIPAA / HITECH Compliance is so important when choosing your e-mail and web hosting provider . . .
HIPAA Overview: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implemented new rules for the healthcare world. Mandating compliance with its Privacy and Security Rules, the federal government is committed to enforcing patients' rights. Industry professionals – financial, administrative and clinical – are no strangers to the regulatory compliance culture. HIPAA laws apply to a ‘covered entity'; IE: healthcare providers, clearinghouses and health plan payers that meet certain conditions. In essence, most providers are covered entities if they employ an electronic-based office – meaning they function by storing and exchanging data via computers through intranets, Internet, dial up modems, DSL lines, T-1, etc.
When HIPAA (Health Insurance Portability and Accountability Act of 1996) was signed by Bill Clinton in 1996, it was primarily aimed at providing workers with easier ways to continue their healthcare insurance coverage whenever they changed jobs.
One area that was given consideration was the transfer of patient records. To make this procedure easier for workers and the affected companies, legislators decided that records and relevant data had to be made more “portable” (hence the ‘Portability' in HIPAA), i.e., easy to transfer.
We know the easiest and fastest way to transmit such data is through electronic means, the most commonly used of which is e-mail. Unfortunately, the data transmitted via e-mail is rarely, if at all, safe from prying eyes.
Because it is highly likely for patient records to be transmitted back and forth through email during a change of jobs, legislators found it prudent to also add appropriate provisions that would safeguard the confidentiality of those records when stored or sent electronically.
Who and what is covered by the HIPAA: HIPAA, through the Privacy Rule enacted under the HITECH rules, which became final in 2011, calls for the protection against unauthorized disclosure of individually identifiable health information when it is stored or sent by a covered entity. This kind of information is better known as protected health information or PHI. If the PHI is stored or sent electronically (as in the case of email), then the term ePHI (for electronic protected health information) is used.
What exactly do we mean by individually identifiable health information? Any data you obtain from a patient while you are administering health care service that can be used to identify the patient (EG: the patient's name, Social Security Number, health plan beneficiary numbers, and a whole lot more) can be considered as individually identifiable health information.
If you belong to a covered entity and are caught committing unauthorized disclosures of PHI as a result of poor email security, you can be held liable. The fines start at $100 per violation but can climb up to $250,000, depending on the circumstances.
Do the rules of HIPAA apply to me? At first, HIPAA only covered organizations and companies that were directly related with healthcare services. More specifically, the original set of entities covered by HIPAA only included:
- health plans – individual and group plans that provide or pay the cost of medical care. This includes health, dental, vision, and prescription drug insurers, health maintenance organizations, Medicare, and Medicaid, among others.
- healthcare clearinghouses – entities who process nonstandard information received from another entity into standard form and vice versa.
- health care providers – doctors, psychologists, nursing homes, and other providers who transmit certain information in electronic form.
That was when HIPAA was first introduced. Today, this list of covered entities has gotten longer.
HIPAA requirements that affect e-mail: Before you can start working on achieving email compliance, you have to identify first the specific HIPAA standards you need to comply with. The specific standards affecting email systems can be found in the Technical Safeguards section of the HIPAA Security Rule . These standards include:
- Access Controls . A covered entity must implement technical policies and procedures limiting access to systems containing electronic protected health information (ePHI) only to personnel with sufficient access rights (§ 164.312 (a))
- Audit Controls . A covered entity must implement software that record and examine activity in information systems that contain or use ePHI. (§ 164.312 (b))
- Integrity . A covered entity must implement policies and procedures to protect ePHI from improper alteration or destruction. (§ 164.312 (c))
- Person or entity authentication . A covered entity must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. (§ 164.312 (d))
- Transmission security . A covered entity must implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.
Some of the implementation specifications laid down to address those standards involve:
- unique user identification
- a mechanism to authenticate ePHI and to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
- security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of
- encryption of ePHI
HIPAA email security applies specifically to Protected Health Information [PHI]: PHI, defined in HIPAA language, is: health information of an identifiable individual that is transmitted by electronic media; maintained in any electronic medium; or transmitted or maintained in any other form or medium. All administrative, financial, and clinical information associated with a patient is considered PHI.
- Privacy Standards: The HIPAA Privacy Rule sets standards for protecting the rights of individuals (patients). Covered entities must follow the laws that grant every individual the right to the privacy and confidentiality of their health information. Protected Health Information is subject to an individual's rights on how such information is used or disclosed.
- Privacy Standard Key Point: Controlling the use and disclosure of oral, written and electronic protected health information (any form).
- Security Standards: Taking the Privacy Rule a step further, HIPAA implemented the Security Rule to cover electronic PHI (ePHI). To this end, more secure and reliable information systems help protect health data from being “lost” or accessed by unauthorized users.
- Security Standard Key Point: Controlling the access to electronic forms of protected health information (not specific to oral or written).
The Privacy and Security Rules focus on information safeguards and require covered entities to implement the necessary and appropriate means to secure and protect health data. Specifically, the regulations call fororganizational and administrative requirements along with technical and physical safeguards.
Beginning with February of 2010, the HIPAA rules were enhanced by the American Recovery and Reinvestment Act. The HITECH section of this act implements significant penalties for breaches of HIPAA and requires that the business partners of organizations covered by HIPAA must themselves obey the HIPAA Privacy and Security Rules, and face liability if there are any unauthorized disclosures.
Provisions of the HIPAA E-Mail Security Rule: The HIPAA language uses the terms ‘required' and ‘addressable':
- Required means that complying with the given standard is mandatory and, therefore, must be complied with.
- Addressable means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.
- With regard to addressable, an organization should read and decipher each Security standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.
The General Rules of the Security Standards reflect a “technology-neutral” approach. Technology-neutral means there are no specific technological systems to employ and no specific recommendations, just so long as the requirements for protecting the data are met. Those requirements include:
- Organizational requirements refer to specific functions a covered entity must perform, including the use of business associate contracts and the development, documentation and implementation of policies and procedures.
- Administrative requirements guide personnel training and staff management in regard to PHI and require the organization to reasonably safeguard (administrative, technical and physical) information and electronic systems.
- Physical safeguards must be implemented to protect computer servers, systems and connections, including the individual workstations. This section covers security concerns related to physical access to buildings, access to workstations, data back up, storage and obsolete data destruction.
- Technical safeguards must be implemented to protect the Personal Healthcare Information [PHI] that is maintained or transmitted by any electronic media.
How important is email encryption? In HIPAA / HITECH documentation, e-mail encryption appears in the implementation specifications of two standards: Access Controls and Transmission Security. In both cases, it is only classified as an “addressable” implementation specification.
What does addressable mean? HIPAA classifies each implementation specification as either “required” or “addressable”. Implementation of a specification labeled as “required” is, as the term suggests, mandatory. This might mislead you to think that, being an “addressable” specification, it might only be optional and, therefore, shouldn't be given too much importance.
However, as we read through supporting documentation, and some of the SP-800 publications referenced in the HITECH documentation, we need to be very careful in interpreting the word “addressable”, as it does not mean “optional”.
According to HIPAA: If an implementation specification is labeled “addressable”, then you must assess whether the specification is a reasonable and appropriate safeguard for protecting ePHI.
If you find the implementation specification reasonable and appropriate, then you should implement it. Otherwise, you will have to document why it would not be reasonable and appropriate to implement, and then find an alternative that is.
Because the contents of a regular email are stored and transmitted as plain text, and because copies of those contents are normally stored in multiple places: your computer; your mail server; the recipients' computers; and the recipient's mail servers; and the fact that each location can be vulnerable to unauthorized access; encryption becomes mandatory.
Encryption prevents unauthorized access or reading of ePHI data or information in an e-mail. Therefore, it should be reasonable and appropriate to implement email encryption to guard against unauthorized access to ePHI.
Email encryption helps in attaining HIPAA and HITECH compliance: When your email message is encrypted it won't matter if it gets intercepted by malicious individuals. They won't be able to modify it or disclose the information stored inside. Highly confidential information like ePHI can only be accessed by the intended recipient. Thus, individually identifiable health information will be kept confidential.
In summary, one of the main objectives of HIPAA is to prevent unauthorized disclosure of individually identifiable health information. Encryption achieves this objective.
Netlou's SmarterMail e-mail hosting solution meets all of the requirements of the most recent updates to the HITECH portion of HIPAA. Our SSL / TLS secured e-mail interfaces, included with all hosted packages, at no additional cost, will ensure that your e-mail is encrypted from the time it is written to the point of delivery1. We can also provide searchable archives of all incoming and outgoing e-mail. Contact us today, to learn how we can make your organization's e-mail compliant with all of the HIPPA / HITECH requirements.
To read the HITECH portion of the HIPAA requirements, see:http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html
To learn more about HIPAA / HITECH requirements, check out HIPAA.ORG where you can keep up to date with all of the fast paced changes and requirements for HIPAA / HITECH.
For general, day-to-day updates on the HITECH portion of HIPAA / HITECH, see HIPAA.ORG.
The complete HIPAA requirements are available at HHS.ORG.
1. TLS encryption is dependent on all of the e-mail servers used in the routing and delivery of the e-mail message being TLS compliment. To check the TLS compliance of any e-mail address, open this link http://www.checktls.com/perl/TestReceiver.pl?ASSURETLS, select DETAIL or CERT DETAIL, and follow the instructions to enter an e-mail address for the e-mail server you would like to test.
Upon completion of the TLS testing, you will see a score and listing of any problems. Some e-mail servers run Greylisting, so failure to validate an e-mail address does not cause a TLS test to fail.