If you’re running an I.T. business trying to understand HIPAA compliance as far as email security is concerned, you’re not alone. I.T. shops are scrambling to find solutions for their clients that are “HIPAA Compliant.” But what exactly does that mean? For the most part, HIPAA compliance states that you need a set of policies and procedures in place on appropriate use and safeguarding protected health information or PHI, processes to validate those policies and procedures are followed, and supporting technology to facilitate secure and protected communications. In my opinion, it does a very poor job at defining with any reasonable detail as to “how” to protect PHI in email form. The Privacy Rule requires a covered entity participating in the exchange of electronic protected health information (ePHI) to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including practical safeguards to protect against any intentional or unintentional use or disclosure in violation of the Privacy Rule.
Furthermore, the standard for transmission security (which can be read here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf) has been updated to enforce the use of encryption. It states that covered entities police themselves in regards to the use of public networks, possess a solution to protect ePHI as it is transmitted, and document that solution. The Security Rule goes on to state that it is perfectly acceptable to transmit ePHI to be sent over a public network as long as it is “adequately protected.”
If you’re not confused yet, I salute you. What I have gathered is that HIPAA = security + training + polices + procedures–all of which “should be” monitored and audited for compliance. It is the equivalent of saying, “You shouldn’t speed because you might get a ticket.” In this case, you should provide some reasonable level of security, train your staff and end-users on said security, create policies and procedures to comply with HIPAA guidelines. Otherwise, that “speeding ticket” can have a minimum fine of simply a warning to a maximum penalty of $1.5 million dollars with the possibility of up to 10 years in prison–depending on the severity of the breach (see: http://www.mcguirewoods.com/Client-Resources/Alerts/2013/2/HIPAA-Omnibus-Final-Rule-Implements-Tiered-Penalty-Structure-HIPAA-Violations.aspx).
It’s my opinion that the goal here is to protect the transmission and storage of sensitive patient data while trying not to impose a decisive method on how that data should be protected. While I am not claiming to speak for any government official; in a way, I believe the government body is saying, “Listen, be smart. Do everything in your power and ability to protect data in transit and the storage or that data. And if we deem there to be a compliance issue, we will weigh that violation and determine a suitable penalty.” While there’s a veil of ambiguity that shrouds the strategy or implementation of ePHI compliance, you have to admire any body of government that takes an approach of flexibility–allowing the entities to take a best practices approach to the technology that is available. In fact, as previously mentioned above, technology (or the security of that technology) is only a piece of the HIPAA compliance equation. However, since is mainly a technology blog, let’s talk about how ExchangeDefender’s Corporate Encryption can help you become HIPAA compliant with your clients.
ExchangeDefender Corporate Encryption highlights four major are of concern with thinking about email security:
• Pattern Matching – Pattern-based encryption that can detect credit card numbers, social security numbers, dates of birth and other account-specific data.
• Lexicon Keyword Matching – Lexicon dictionaries can contain words and word patterns that can trigger encryption mechanisms and protect from data leakage.
• Corporate Encryption Mechanisms – Corporate encryption mechanisms can automatically encrypt messages or forward the contents to the administrator for the corporate review.
• Comprehensive Reporting – Comprehensive reporting of all email activity as well as a Compliance Officer (CO) reporting with search capabilities provide proof of regulatory compliance and simplify reporting.
ExchangeDefender Corporate Encryption provides an easy and seamless way for organizations of all sizes to implement content protection and comprehensive control over information being sent through email. Powered by ExchangeDefender, Corporate Encryption complies with the SOX, HIPAA, SEC and local government requirements for information encryption while providing powerful audit and policy wizards to meet organizations unique goals. We provide all these features without you having to invest in expensive equipment and colocations fees. If you have additional question about our Corporate Encryption service or any of our ExchangeDefender solutions, give us a call at 877-546-0316. We will be more than happy to assist you in building a solid business solution portfolio.