HIPAA Email Encryption Rules

Frequently Asked Questions


What are the HIPAA Rules for Email Encryption?

The HIPAA email encryption rules do not exclusively apply to emails, but to all communications which contain protected health information that was in electronic form before it was communicated – therefore attachments to emails, SMS and IMs are governed by the HIPAA rules for email encryption, but not faxes or voice-mail messages (unless they are saved in electronic form after they have been received, in which case the Security Rule provision for protected health information at rest applies).

What HIPAA actually says about email encryption is that covered entities must “implement a mechanism to encrypt and decrypt electronic protected health information”, and most communication experts agree that healthcare organizations who want to facilitate the communication of protected health information by email should double their encryption protection, so that encrypted communications are sent over an encrypted connection “just to be on the safe side”.

Why the Communication of Protected Health Information by Email is Insecure

The experts´ wariness about the HIPAA email encryption rules is based on several possible scenarios in which a breach of protected health information could occur when it is communicated by email. For example:

  • When emails are sent using public FTP (File Transfer Protocol), copies of the emails will remain on routing servers indefinitely with no possibility of an organization being able to delete them if a breach of protected health information is identified.
  • There is no possibility of retracting an email containing protected health information if it has been sent to the wrong person, or remotely deleting emails if an authorized user loses a mobile device from which protected health information has been communicated.
  • There is also the logistical issue that each authorized user would have to install encryption/decryption software on all the mobile devices and desktop computers they would use for the communication of protected health information by email, and that the software would have to operate across all platforms.
  • Furthermore, any solution that is implemented to comply with the HIPAA rules for email encryption would also have to have administrative controls to monitor access to protective health information and ensure that policies developed to comply with the HIPAA email encryption rules are being adhered to.

The TigerConnect Alternative to Encrypted Emails

The TigerConnect alternative to encrypted emails is a secure messaging platform, which works by allowing access to protected health information through a software-as-a-service “On Demand” app. The app can conveniently be used from any desktop computer or mobile device, while administrative controls safeguard the integrity of protected health information.

Access to protected health information is only available to authorized users who are assigned a unique username and PIN, and whose activity on the secure messaging platform is monitored by access reports and audit logs.

As all activity is contained within a private network, should a breach of protected health information be identified, administrators can remotely delete a message – unlike when the communication of protected health information is done by email – or remotely wipe the user from the system if their personal mobile device is lost or stolen.

The secure messaging apps have been purposefully designed with the end-user in mind; and medical professionals, business associates and third party service providers will find the text-like interface easy to become familiar with – making it less likely that they would revert to unsecure alternative channels to communicate protected health information.

The Benefits of Secure Messaging Outweigh Benefits of Secure Emails

Research conducted on mobile device users has found that messaging is by far the most popular form of mobile communication, with 92% of mobile users preferring it over email because of the speed of delivery. A further fact revealed in a 2012 survey was that respondents considered text communications to be more urgent than emails – and requiring an immediate response, rather than delaying an answer until it was more convenient.

In a healthcare environment, the speed of response and the implementation of action can have substantial benefits to patients; and there are additional benefits for medical professionals and healthcare organizations when secure messaging is used to accelerate patient concerns, confirm diagnoses, deliver lab results, and administer treatment.

  • TigerConnect’s features simplify various day to day activities such as: TigerConnect’s secure messaging app has a message forwarding feature which enables multiple parties to collaborate securely on a patient’s care.
  • Authorized users receive delivery notifications and read receipts that confirm their messages have been received and which eliminate phone tag.
  • Secure messages can be assigned lifespans in order that they delete automatically after a pre-determined period of time.
  • A “search by name” facility helps eliminate the risk of messaging errors often seen with encrypted email and accelerates secure communications between medical professionals.

Each of these features helps to streamline workflows, increase productivity and improve the standard of patient healthcare in a cost-effective manner, while maintaining the integrity of protected health information.

Establishing Policies for Best Practices when Texting PHI

In order to ensure HIPAA compliant texting for physicians, Eagle Hospital Physicians had to establish a policy that informed its medical personnel of the best practices for texting PHI – as is recommended for all healthcare organizations implementing a secure messaging solution.

Best practice policies should clearly establish when and how to send text messages in compliance with HIPAA; and to assist with the development of policies to ensure HIPAA compliant texting for physicians we have produced a white paper – “The Top 8 Secure Messaging Policy Best Practices” – which contains details of the best practices for texting PHI that all medical personnel should be informed of.

Our white paper elaborates on the importance of having an assigned policy administrator that medical personnel can go to if they have any questions regarding how to send text messages in compliance with HIPAA, who should also be the staff member to whom the loss of theft of a mobile device can be reported, so that the mobile device can be remotely removed from the system to avoid a breach of PHI.

TigerConnect’s Secure Messaging Platform in Action

Among several relevant case studies which demonstrate the benefits of TigerConnect’s secure messaging platform, one which highlights secure messaging as being more effective for the communication of protected health information than email concerns Eagle Hospital Physicians.

Eagle Hospital Physicians is a leading physician-services company, who needed a secure communication solution to resolve the issue of their telemedicine physicians being located in multiple facilities when workflows had to be prioritized.

Following the implementation of TigerConnect’s secure messaging platform, 100% of Eagle Telemedicine Physicians received all their secure messages via one convenient inbox so that responses could be prioritized and workflows streamlined.

Eagle´s physicians were able to send secure messages in compliance with HIPAA, receive images and documents via TigerConnect’s secure messaging app, and share protected health information between their colleagues securely; while the audit capabilities of TigerConnect’s secure messaging platform made it easy for Eagle´s system administrators to track response times and monitor access to protected health information.

Speak with TigerConnect about Communicating Protected Health Information – Securely

TigerConnect is the market leader in secure messaging solutions, and over 4,000 medical facilities currently use TigerConnect to communicate protected health information securely. TigerConnect’s secure messaging solution is inexpensive to implement and operate, and conforms to all the technical, administrative, and physical safeguards required by the HIPAA Security Rule.

You can find out more about how TigerConnect’s secure messaging solution complies with the HIPAA technical, administrative and physical safeguards in our “HIPAA Compliance Statement” which you are invited to download and read. Alternatively you are welcome to contact us and arrange a free demo of TigerConnect’s secure messaging solution in action

Request A Demo

See how TigerConnect helps 6,000+ healthcare teams collaborate seamlessly across the hall or across the health system.

About TigerConnect

TigerConnect provides secure, real-time mobile messaging for the enterprise, empowering organizations to work more securely. TigerConnect’s encrypted messaging platform keeps communications safe, improves workflows, and complies with industry regulations.