The HIPAA compliance email encryption rules are that emails containing electronic Protected Health Information (ePHI) must be encrypted at rest and in transit unless encryption is assessed not to be a reasonable and appropriate safeguard to protect PHI, in which case an equally effective alternative measure must be deployed.
The HIPAA compliance email encryption rules can be found in the Technical Safeguards of the HIPAA Security Rule. The “addressable” implementation specifications instruct covered entities and business associates to “implement a mechanism to encrypt and decrypt electronic protected health information” (for data at rest) and “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate” (for data in transit).
Addressable vs Required Implementation Specifications
It is important to clarify the terms “addressable” and “required” regarding HIPAA compliance. Required is quite clear. If an implementation specification is required, it must be implemented. The term addressable is used to provide a degree of flexibility for complying with certain standards. If a standard is addressable, as is the case with encryption, it means HIPAA-regulated entities can either:
- Implement the specification
- Implement one or more alternative security measures that achieve the same purpose, if it is reasonable and appropriate to do so
- Not implement the specification or an alternative, if it is unreasonable and inappropriate to implement it
It is only possible to make such a determination by conducting a risk analysis and ensuring all risks relevant to the specification have been reduced to a reasonable and appropriate level. In the context of the HIPAA compliance email encryption rules, it may be unreasonable or inappropriate to encrypt emails if policies exist that prohibit the sending of electronic Protected Health Information (ePHI) via email and if alternate methods of data transfer are used.
Regardless of the decision taken, the choice must be documented, and if the decision is taken not to implement the specification – or to implement an alternative – the reasons why the decision was taken must be documented. The results of the risk analysis, and the facts upon which the decision has been based, must also be documented. The risk analysis should be reviewed periodically to identify emerging threats to ePHI and amended as necessary.
HHS Guidance on the HIPAA Compliance Email Encryption Rules
In 2003, the Final HIPAA Security Rule was published in the Federal Register. In the preamble to the Rule, HHS stated it is “committed to the principle of technology neutrality and […] consistent with this principle, specifying an algorithm strength or specific product would be inappropriate. Moreover, rapid advances in the success of ‘‘brute force’’ cryptanalysis techniques suggest that any minimum specification would soon be outmoded.”
The generally accepted minimum specification at the time was 56-bit DEA encryption. However, as encryption cracking software became more sophisticated, DEA encryption became less effective at safeguarding ePHI the standard was eventually replaced by 128, 192, and 256-bit AES encryption. In 2013, HHS revised its stance on technology neutrality and published minimum specification guidance on the HIPAA compliance email encryption rules.
The guidance states that the HIPAA compliance email encryption rules for ePHI at rest should comply with the standards recommended in NIST SP 800-111 (AES-128 or higher). With regards to ePHI in transit, the guidance states that channels of communication should be encrypted to standards that align with NIST SP 800-52” (generally TLS 1.2 or higher) or that align with “others which are FIPS 140-2 validated” (for example, S/MIME, PGP, and OpenPGP).
How to Comply with the HIPAA Email Rules
The HIPAA email rules require more than encryption. HIPAA covered entities must also implement all applicable Security Rule safeguards, apply Privacy Rule policies to disclosures of ePHI by email, and ensure Business Associate Agreements are in place with third party email service providers and email encryption service providers where applicable. Covered entities and business associates that require assistance with the HIPAA compliance email encryption rules are advised to seek professional compliance advice.
Photo Credit: PRIM / stock.adobe.com