How to Make Your Email HIPAA Compliant in 2022

Hoala Greevy, Paubox Founder and CEO

Healthcare providers and business associates have been subject to maintaining the security of patient information since the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. However, in the years that followed, the industry experienced rapid digital transformation, including the proliferation of electronic health records and the distribution of protected health information (PHI) via electronic fax and email.

New technologies introduced new vectors for attack. As healthcare organizations fully transition to operate in a digital environment, the opportunities to lose PHI through human error and cybercriminal activity increase. According to the U.S. Department of Health and Human Services (HHS), more than 40 million people had their personal health information exposed in data breaches in 2021 alone. Providers must be cognizant of the implications if they experience a data breach, including heavy fines and the expense of repairing cybercrime damage.

HIPAA compliant email requires more than the implementation of an email security provider; it also requires employee training, email encryption and data protection in transit and at rest.

• Employee Training: Healthcare organizations must provide employees with consistent and digestible training sessions to ensure a clear understanding of protecting PHI.
• 100% Email Encryption: In order to guarantee that no PHI is shared via email unencrypted, every outbound email should be encrypted by default.
• Securing PHI at Rest and in Transit: Providers must secure patient information at rest to decrease a cybercriminal’s chance of intercepting PHI.

Read on to understand how you can make your organization’s email HIPAA compliant in 2022.

Properly Train Staff

In 2020, human error accounted for 30% of healthcare breaches. Healthcare online security training requires educating employees on securing confidential patient information. HIPAA encourages covered entities to train their staff how to recognize, report and respond to security breaches in a timely manner. Doctors, nurses and administrative staff who disregard formal training can unknowingly provide cybercriminal access to PHI, and patient information can end up on the black market as a result.

Hackers target healthcare organizations to obtain PHI, including health records and history, lab results and medical bills, for sale on the black market. Bad actors can use this information to steal prescription drugs, scam victims, create fake insurance claims and take advantage of medical conditions. Cybercriminals can make millions of dollars by stealing PHI, which makes infiltrating the healthcare industry a lucrative proposition in 2022.

With this in mind, covered entities must be intentional with their approach to training. Sessions that run too long or pack a lot of material in one session do not equip employees to fulfill their role in identifying a network breach or securing patient data. Proper training is crucial in ensuring healthcare organizations safeguard themselves from cybercriminals. This includes regularly scheduled HIPAA compliance training sessions for all employees.

Healthcare organizations can ensure email security and HIPAA compliance don’t take a back seat by creating interactive and consistent educational training agendas. Instructors can replace mundane written quizzes with role play scenarios. By demonstrating how a security breach affects an entire organization, employees are more likely to understand the importance of consistent email security.

Secure PHI at Rest and in Transit

HIPAA requires PHI to remain secure in transit and at rest. However, PHI in transit often seems more accessible to bad actors, so providers often focus on end-to-end encryption and less on securing patient data at rest. However, healthcare organizations must also protect patient data kept on servers (i.e. an email inbox), cloud storage or a unit’s workstation. Passwords and individual user accounts act as safeguards for securing PHI at rest.

Third-party email servers are designed for day-to-day consumer and business use and are not required to offer a business associate agreement (BAA). However, popular email providers such as Microsoft 365 and Google Workspace will sign a BAA with covered entities. A BAA is a written contract between a covered entity and a business associate that establishes each party’s responsibilities related to PHI. Without a BAA, there is no guarantee that data stored on third-party servers are secure. And if bad actors access patient information, providers can be left with all the liability following a breach.

More than 250 healthcare organizations reported an email breach in 2021, with each breach affecting between 500 and 1.5 million individuals. A covered entity can partner with a HIPAA compliant email provider to ensure seamless email protection and decrease the chances of a cybercriminal compromising PHI while at rest. In doing so, providers can feel confident knowing their organization will not join the HIPAA Wall of Shame.

However, signing a BAA with your email provider is not enough to ensure that you are sending HIPAA compliant email.

Ensure 100% Email Encryption

Securing PHI at rest is important to the safety of a healthcare organization. Securing it in transit is equally as important. HIPAA requires healthcare providers to take reasonable steps to protect electronic PHI (ePHI) from their computer to the recipient’s mailbox. Covered entities can leverage email encryption to ensure patient information is secure both in transit and at rest. However, unless a provider has implemented 100% email encryption, PHI is at risk of interception by a cybercriminal.

Most mainstream email providers support the transport layer security encryption protocol (TLS) which prioritizes delivering messages over encryption. So while an email may successfully travel to a patient’s inbox, it may not arrive encrypted. In fact, Google data reveals its server successfully encrypted 81% of all outbound emails since January 2021. HIPAA requires 100% email encryption.

Covered entities and business associates that don’t comply with HIPAA’s requirements are subject to fines from the Office for Civil Rights (OCR) division within HHS. Those fines can climb upwards of $50,000 per violation, depending on the severity. The bottom line is that healthcare organizations must protect ePHI both while on a server and in transit to a patient or other healthcare entity.

Partnering with a business associate that is HITRUST certified and ensures 100% email encryption enables employees to send and receive emails securely without running the risk of fines. But, even more importantly, email encryption can help keep cybercriminals at bay and return confidence to doctors, nurses and other healthcare professionals.

Training is a staple requirement within the healthcare industry. Doctors, nurses and administrative staff undergo intensive training sessions to understand and protect patient confidentiality under HIPAA. However, covered entities must take additional steps to maintain the safety of patient information as hackers become more perceptive to the ways healthcare organizations distribute PHI. This is why pairing employee training with a HIPAA compliant, HITRUST certified email provider is imperative to an organization’s ability to secure PHI and maintain patient confidence in 2022.

###

About the Author

Hoala has 22 years experience in the email industry, dating back to his first job out of college at Critical Path in San Francisco in 1999. Prior to founding Paubox, Hoala started Hawaii’s first SaaS company (Pau Spam) in 2002. Hoala holds two patents related to email security and graduated from Portland State University with a B.S. in geography and social sciences. An avid kayak fisherman, Hoala has caught three blue marlin from his ocean kayak Scupper Pro. He also holds the IGFA world record for the finescale triggerfish.