Why HIPAA Email Message Encryption is Not the Solution
Although encrypting an email provides a certain level of security for transmitting patient health information, during the transmission of an email the message is copied multiple times on email servers before it reaches its intended recipient. Even encrypted, there is no way to completely recall or delete the email and, should the mobile device from which it was sent – or the one on which it was received – be stolen or lost, the content of the email can easily be accessed.
The new regulations relating specifically to HIPAA text message encryption and HIPAA email message encryption “require appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic patient health information”, and this is something which cannot be completely achieved by email encryption (²). Because of the lack of security offered by email encryption, it is the best interest of organizations to consider a secure text messaging platform to remain compliant with the HIPAA encryption requirements.
(²) It should be noted that the failure to comply with the HIPAA encryption requirements could result in criminal charges being brought by the Office of Civil Rights or a civil action being filed by an individual whose patient health information has been compromised.