Many healthcare professionals experience anxiety at the idea of meeting HIPAA (Health Insurance Portability and Accountability Act) regulations while emailing Protected Health Information, or PHI for short. However, email is becoming a more frequently employed distribution option for sharing PHI with other caregivers and patients. However, to remain compliant with HIPAA, all healthcare organisations must develop effective procedures and policies for sending PHI, using email as a communication channel.

In this blog, we’ll look at how email encryption can help those in the healthcare sector keep data safe and adhere to HIPAA.

What is HIPAA?

HIPAA is a federal law enacted by the United States Congress in 1996. The law provides regulations for protecting the privacy and security of individuals’ health information, as well as ensuring the portability of health insurance coverage.

Under HIPAA, covered entities such as healthcare providers, health plans, and healthcare clearinghouses must implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI). It also gives individuals certain rights with regard to their PHI, including the right to access, inspect, and receive a copy of their health information, and the right to request corrections to their health information.

You can find the official government page for HIPAA here.

Is encryption a regulatory requirement of HIPAA?

While HIPAA does not state that email encryption is an essential requirement, the strict measures it demands regarding PHI can be met by this state-of-the-art security tool. The law insists that PHI always remains secure, no matter if it is at rest or is actually being transferred or transmitted. For instance, this means that PHI must be protected when it is stored on servers and workstations with unique credentials. However, if the data is sent to another healthcare organisation, professional or the patient themselves via email, it must also be safeguarded.

The best option to perform this obligation is to protect the information using end-to-end encryption. Unlike other forms of encryption, this solution can ensure that no unauthorised individual can ever access any PHI sent via email and renders the message and any attachment only readable by the intended recipient.

Dealing with patient requests for unencrypted emails

It is understood that patients’ rights to access their personal data easily allows them to request that their personal data is sent to them unencrypted. As a result, sending PHI without encryption does not violate HIPAA, although data handlers must make reasonable efforts to ensure that patient’s understand and acknowledge the risks involved in unsecured transmissions.

Essentially, if a patient requests their personal records be sent via unencrypted email, the healthcare organisation must comply with their request, but can only do so with assurance from the patient that they comprehend the risk they are taking. Data handlers can request that patients complete and sign a “duty to warn” document for their records as proof of HIPAA compliance.

Start sending PHI via encrypted email

While not a requirement, using email encryption is the safest way to fulfil obligations regarding PHI security and stay HIPAA compliant. To access advanced email encryption that is designed to satisfy HIPAA and other data regulations, contact Galaxkey now for a free two-week trial of our solution.