Differences between encrypted and unencrypted email under HIPAA

Under HIPAA, encrypted email converts message content into a coded format, ensuring electronic protected health information (PHI) remains confidential and secure from unauthorized access during transmission and storage. Unencrypted email, however, leaves electronic PHI vulnerable to interception and unauthorized access, posing a high risk of data breaches and making it challenging to meet HIPAA compliance requirements due to the lack of safeguards.

Overview of HIPAA email requirements

According to the HHS, "The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.". 

While encryption isn't explicitly mandated, it is highly recommended to secure PHI during transmission. The goal is to ensure that patient information remains confidential and is not accessed by unauthorized individuals.

Unencrypted email

Unencrypted email refers to messages sent without encryption, leaving them vulnerable to interception. These emails can be easily read by unauthorized parties if intercepted during transmission, creating a high risk for a data breach. 

While HIPAA does not outright prohibit unencrypted email, it presents significant compliance challenges. Demonstrating that reasonable safeguards are in place to protect PHI is difficult when using unencrypted email, making it harder to meet HIPAA requirements. Patients must be informed of the risks and should consent in writing if unencrypted email is to be used.

Related: What happens if an email is not encrypted?

Encrypted email

Encrypted email, on the other hand, converts the content of the message into a coded format that can only be deciphered by the intended recipient with the appropriate decryption key, significantly enhancing security by protecting PHI from unauthorized access during transmission and storage.

Encryption offers several benefits in the context of HIPAA:

• Security: Ensures that PHI remains confidential and is accessible only to authorized individuals.
• Reduced risk: It lowers the likelihood of data breaches and unauthorized disclosures.
• Compliance: Shows a commitment to HIPAA compliance by implementing appropriate safeguards, making it easier to meet regulatory requirements.

Differences between encrypted and unencrypted email

• Security: Unencrypted emails have low security, making them easily intercepted and read by unauthorized individuals. In contrast, encrypted emails provide high security by encoding the message content, ensuring only the intended recipient can access the information.
• Risk of breach: The risk of data breaches is high with unencrypted emails due to their vulnerability during transmission. Encrypted emails significantly reduce this risk by protecting PHI from unauthorized access.
• HIPAA compliance: Using unencrypted email makes it difficult to demonstrate compliance with HIPAA's security requirements because of the lack of adequate safeguards. Encrypted email, however, shows a strong commitment to HIPAA compliance by implementing necessary protections.

Best practices for HIPAA compliant email

• Risk assessment: Conduct regular assessments to identify potential risks and vulnerabilities associated with email communication. 
• Employee training: Ensure employees are well-versed in HIPAA regulations and understand the importance of secure email practices. Regular training sessions reinforce best practices and keep staff updated on compliance requirements.
• Business associate agreements (BAAs): When working with third-party vendors who handle PHI, ensure that BAAs are in place. These agreements stipulate that the vendor will implement appropriate safeguards to protect PHI.
• Incident response plan: Develop and maintain a plan to address data breaches or security incidents promptly, including procedures for containing the breach, notifying affected individuals, and mitigating further risks.

Related: The consequences of not having a BAA with an email service provider

FAQs

How can healthcare organizations verify that their email encryption is effective?

Healthcare organizations can conduct regular security assessments and audits to verify the effectiveness of their email encryption and ensure ongoing compliance with HIPAA regulations.

What should healthcare providers do if they accidentally send an unencrypted email containing PHI?

If an unencrypted email containing PHI is accidentally sent, the provider should immediately report the incident, assess the potential breach, notify affected patients, and take steps to prevent future occurrences.