Does HIPAA Require Email Encryption?

To answer the question “Does HIPAA require email encryption” begin with a close look at the Health Insurance Portability and Accountability Act (HIPAA) to see what the legislation actually says about encryption:

“A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronically protected health information.” (45 CFR § 164.312(a)(2)(iv))”

This would imply that communicating protected health information by encrypted email is okay – well, it is not prohibited – but the process for encrypting email is complicated, and most encryption experts agree that “to be on the safe side” you should use two methods of encryption to send encrypted communications over an encrypted connection.

Cost implications aside, the use of email to communicate protected health information via mobile devices is neither secure nor practical. If medical personnel send emails using public FTP (File Transfer Protocol) – whether encrypted or not – a copy of the email will remain on routing servers indefinitely, with no possibility of deleting it if the organization identifies a breach.

There is no control over how to retract an email once it has been sent – or the email went to the wrong recipient. Users also cannot remove an authorized user from the communication channel if their mobile device is lost, stolen or otherwise disposed of- potentially allowing unauthorized third parties access to protected health information.

On a practical basis, each user that is authorized to communicate protected health information by email would have to use the same encryption/decryption software on their mobile devices, and it would have to be software that works across all operating systems and has administrative controls to monitor access to protected health information. This would not be an easy implementation or accomplishment for most healthcare organizations.

The TigerText Alternative to Encrypted Email

The TigerText alternative to encrypted email is a secure messaging solution that operates in a similar way to SMS messaging, but allows access to encrypted protected health information through a secure platform, accessible to authorized and authenticated users. The administrative and technical safeguards help eliminate the risk of a breach or messaging errors often seen with encrypted email.

Authorized users simply download the easy-to-use TigerText secure messaging app to their mobile device, set up their accounts with the unique identifiers provided by their system administrator and they are ready to go. Because of the way the secure messaging app operates, there is no risk of authorized personnel “forgetting” to use it to access/communicate protected health information, all messages have a designated lifespan assigned to it, ensuring the security of data. It is impossible to save sensitive information to the mobile device – so there is no risk of protected health information being compromised if the device is stolen or lost.

Furthermore, case studies have shown that the use of a secure messaging solution to communicate protected health information has resulted in streamlined workflows, increased efficiency and cost savings. These benefits of secure messaging have resulted in higher patient satisfaction with quicker patient discharge times and accelerated resolution of patient concerns.

Therefore, in conclusion, does HIPAA require email encryption – Yes. But would you really want to implement an expensive, inefficient channel of communication that still presents the risk of protected health information being compromised?

Speak with TigerText about Communicating Protected Health Information – Securely

TigerText is the market leader in secure messaging solutions, and over 3,000 medical facilities currently use TigerText´s secure messaging solution to communicate protected health information across all operating systems without exception. Because of the simplicity of the secure messaging app, the solution is inexpensive to establish and operate, yet conforms to all the administrative, physical and technical safeguards required by HIPAA.

You can find out more about how TigerText´s secure messaging app complies with the HIPAA administrative, physical and technical safeguards for HIPAA compliant communication in our “HIPAA Compliance Statement” which you are invited to download and read; or alternatively, you are welcome to contact us and request a free demonstration of the TigerText secure messaging solution in action.

Will O’Connor, M.D. is TigerConnect’s Chief Medical Information Officer. He’s an industry-known physician executive with more than 20 years of healthcare experience focused on operations, strategic planning, consulting, client delivery, and thought leadership across the healthcare industry.