HIPAA Email Encryption Requirements

Confused about the HIPAA email encryption requirements? Unsure if your email is compliant? Here we explain when emails must be encrypted to help you ensure patient privacy and avoid regulatory fines for noncompliance.

What Does HIPAA Say About the Encryption of Protected Health Information?

There are several misconceptions about HIPAA and the encryption of protected health information (PHI). One source of confusion comes from encryption being an ‘addressable’ requirement rather than being ‘required.’ It is useful to clarify these two terms. Required means it must be implemented for compliance, whereas addressable means it should be implemented; however, if an alternative measure is implemented that fulfills the same purpose and provides an equivalent level of protection, it may be implemented in place of the addressable element. There may be several reasons why encryption is not necessary. In such cases, those reasons must be documented and must be justified.

For example, if you store PHI on a non-networked computer within your building, with access controls to prevent unauthorized individuals from accessing PHI, and you have appropriate physical security controls to prevent theft, it would be justified not to encrypt the PHI on the device. If PHI is stored on a portable storage device such as a thumb drive that is used off-site, or on a laptop that is used in a public area, then encryption would likely be required to prevent unauthorized access as the risk of access is much greater.

What are the HIPAA Email Encryption Requirements?

The HIPAA email encryption requirements only apply to emails containing PHI. Encryption is not required by HIPAA if no PHI is contained in emails or attachments. If PHI is being transmitted via email, whether encryption is required depends on where the emails are sent. If the email is sent internally, and all communications remain inside perimeter defenses such as a firewall, it would not be necessary to encrypt the contents of the email. If, however, the email is being sent externally beyond the protection of the firewall, it is possible that the email – and PHI – could be intercepted since emails are sent in plain text by default.

HIPAA does not prohibit the transmission of PHI via email, but if an electronic open network is used for the transfer – which email is – then PHI can only be sent if it is adequately protected. It is recommended in such cases for emails and attachments to be protected with encryption. There are different forms of encryption, and not all provide the same degree of protection. Some encryption algorithms are no longer considered acceptable since they are not sufficiently robust. HIPAA-covered entities should refer to the latest guidance from the National Institute of Standards and Technology (NIST) for up-to-date information on the types of encryption to use – See NIST Special Publication 800-45 Version 2.

How TitanHQ Can Help You Comply with the HIPAA Email Encryption Requirements

Achieving compliance with the HIPAA email encryption requirements does not need be complicated, and you do not need to have a skilled in-house IT team to start encrypting emails. TitanHQ offers a HIPAA-compliant email encryption solution – EncryptTitan – that is easy to implement and can be used to enforce the encryption of emails sent externally.

EncryptTitan is a 100% cloud-based email encryption solution that requires no on-premises hardware and prevents employees from sharing unsecured PHI. Policies can be set to encrypt all external emails, or the solution can be configured to check the email body and attachments and will automatically encrypt sensitive messages. An Outlook plugin is provided that can be used in conjunction with keyword-based encryption that allows the user to select which emails should be encrypted.

Once encrypted, emails can only be decrypted by the intended recipient on their device. End-to-end encryption is also possible. This requires the recipient to authenticate before they are permitted to view a message. The solution does not require the recipient to be using any specific mail system, or even have the solution installed. EncryptTitan is also quick and easy to set up and use.

For more information on meeting your HIPAA email encryption requirements for compliance, contact TitanHQ today.