Beringer Associates Technology Blog

Is your e-mail HIPAA compliant?

Posted by on in Featured, Uncategorized

Untitled pictureHIPAA is a US federal law to safeguard healthcare information. This law applies to healthcare companies such as doctor’s offices, hospitals and health insurers which makes them a regulated environment. There are many aspects to this law that involve the storage and transmission of digital healthcare data. I’m sure it’s not news to anyone that e-mail is one of the most common forms of digital information transmission. However, what may come as a surprise to many is that e-mail is by default an insecure method of transmitting data.

 

While most modern e-mail systems support secure connections to the end point (desktop, smartphone, etc.) the actual act of sending e-mail between mail servers is not always secure. This means that in many cases, your e-mail messages are sent in plain text which would allow someone to maliciously intercept these messages and view the entire contents of them. This is particularly troublesome when working in a regulated environment. Whether it is for a legitimate business needs or accidental human error, there is a good chance that healthcare information could leave your company via unsecure e-mail. This transmission of unsecure e-mail is a violation of HIPAA that carries VERY large fines.

 

Another requirement of HIPAA is that healthcare data needs to be stored for 6 years. This extends to e-mail if any healthcare information is shared via e-mail. And as I stated before, you may not know that your users are using e-mail to send or store healthcare information. So this begs the question, is your hosted or local e-mail server storing mail for 6 years or longer? What if someone deletes their messages? Do you have the ability to recover an e-mail from 6 years ago? If you don’t know the answer, the answer is probably no.

 

So now that I’ve scared most of you, how do we address these e-mail concerns? Well there is the easy way and the hard way. The hard way would be to piece together several solutions that consist of a Data Leak Prevention (DLP) solution, an e-mail encryption system and an e-mail archive system. Piecing these together means the hassle of dealing with several vendors with no real integration. This method can also get very costly as it requires multiple products, contracts and maintenance agreements. This can also be very time consuming as there is a level of complexity that involves training on multiple products and multiple points of failure.

 

So what about the easy way? Well the easy way would be to find a service that combines all of these in one easy to use package. The service that we feel doing this the best is Microsoft’s Office 365. Microsoft’s Office 365 has plans which are fully HIPAA compliant and with the proper configuration will help overcome the e-mail challenges discussed above. It’s also much more affordable than you would expect. This is accomplished with the following features:

 

  • Fully Hosted E-mail in Secure Data Centers
    • Microsoft hosts the entire e-mail system so there is no need for on-premises servers.
    • E-mail is stored in fully compliant, redundant data centers that would be extremely difficult and costly to replicate for any size business.
    • Microsoft will even sign a HIPAA business associate agreement.

 

  • E-mail Encryption
    • Encryption secures a message so that if it is intercepted by any party other than the intended recipient the contents will be unreadable.
    • Allows messages to be manually or automatically encrypted when certain criteria is met.
    • Gives access to the recipient through a secure portal so the message they reply back with is also encrypted.

 

  • Data Leak Prevention (DLP)
    • Helps protect sensitive data from leaving the e-mail system.
    • Flexible rules that allow various actions when e-mail contains sensitive data: (i.e. block the message, require approval, force encryption).

 

  • Archiving
    • Full compliance hold archiving that will retain e-mail for any period of time needed (includes unlimited retention).
    • If a user deletes a message, it can still be searched and retrieved via the retention hold archive.

 

Like any federal regulation, HIPAA requirements are constantly changing and can be very difficult to dissect and understand. Beringer can help you navigate through this confusion. To find out more contact us at 800.796.4854 or info@beringer.net.

 

Share