What is HIPAA compliance?
HIPAA, or the Health Insurance Portability and Accountability Act, sets standards for the privacy and security of patients' protected health information (PHI), including names, addresses, medical records and other identifiable patient information.
Any business that works with Protected Health Information (PHI) must conform to HIPAA privacy and security rules. This not only includes healthcare organizations, but many businesses that provide administrative, financial, legal, consulting and management services to healthcare organizations and that work with PHI.
What does HIPAA compliant email mean?
To achieve HIPAA compliance, companies must take steps to protect PHI that they create, collect or transmit electronically or that they encounter as part of their work. Since many organizations communicate PHI through email, HIPAA compliance requires email containing PHI to be protected from unauthorized access in transit and at rest, and to have 100% message accountability through audit controls.
How do I send a HIPAA compliant email?
Sending a HIPAA compliant email requires the use of encryption or the use of a secure message server such as a patient portal to protect PHI within the email while in transit. HIPAA compliant email also requires the use of access controls that ensure only the sender and intended recipient can access the message.
HIPAA encrypted email compliance requires innovative solutions
HIPAA messaging compliance is a significant challenge for healthcare organizations. Many medical professionals rely on email as their primary form of communication, and their messages often include protected health information (PHI) of patients. While the Health Insurance Portability and Accountability Act (HIPAA) requires that organizations take great pains to protect PHI in email, the vast amount of email sent and received every day makes careless mistakes inevitable and the value of PHI to cyber criminals increases the likelihood of cyberattacks.
To protect PHI and ensure email HIPAA compliance, organizations need solutions that can ensure the security of email in transit and at rest, to maintain audit controls for access and usage, and to defend the organization and email data against a wide variety of advanced threats. For organizations seeking easy-to-use technology that won't overburden IT teams with additional work, Mimecast provides industry-leading solutions for email archiving and security.
HIPAA email encryption from Mimecast
Mimecast provides a simple-to-use cloud platform that unifies delivery and management of email security, continuity and data protection. Thousands of organizations worldwide trust Mimecast to improve cyber resilience, streamline compliance, minimize IT complexity and keep their organization running.
For IT teams, Mimecast's SaaS-based solution is easy to implement (there are no capital costs) and easy to manage, with centralized control provided through a single administrative console. To ensure HIPAA email compliance, Mimecast's offerings have passed the HIPAA Security Compliance Assessment, verifying the safeguards that protect health information within Mimecast software and infrastructure.
With Mimecast, healthcare organizations and their partners can:
- Prevent email-born ransomware infections and other advanced attacks
- Encrypt mail messages and share attachments securely
- Block malicious or inappropriate web activity
- Stop malicious URLs and attachments
- Satisfy HIPAA requirements with audit logs and compliance-driven chains of custody.
Mimecast technology for HIPAA encrypted email
To enable HIPAA encrypted email messages, Mimecast provides a Healthcare Secure Messaging solution that is easy to use for healthcare providers and patients alike. To initiate a secure message, users need only click a Send Secure box in Outlook or in their preferred email client. Messages and attachments are uploaded to the Mimecast secure cloud, rather than being sent directly to recipients. After being checked for malware, messages are stored in an AES encrypted archive, and recipients are notified of the HIPAA encrypted email and how to access it by logging onto a secure portal. From the portal, recipients can read messages and view attachments, responding to the sender or composing a new message back to recipients in the organization.
Learn more about HIPAA encrypted email and Mimecast.
Additional tools for email HIPAA compliance
Mimecast's comprehensive email security platform includes a variety of solutions to improve HIPAA email compliance, including:
- Advanced Email Security with Targeted Threat Protection uses sophisticated detection engines and threat intelligence to protect email from targeted attacks as well as malware, spam and phishing.
- Content Control and Data Loss Prevention (DLP) solutions help organizations prevent inadvertent or malicious leaks that can expose sensitive patient data.
- Secure Messaging and Large File Send solutions make it easy for employees to conduct business quickly and easily without worrying about encryption requirements for HIPAA email compliance.
HIPAA Compliant Email FAQs
What are some HIPAA encryption requirements?
The National Institute of Standards and Technology (NIST) recommends that healthcare settings add an additional safeguard to their electronic information practices with the use of Advanced Encryption Standard (AES) 128, 192, 256-bit encryption, or OpenPGP, and S/MIME.
How to make email HIPAA compliant?
While there is no single formula for creating a HIPAA compliant email, there are a number of steps that organizations can take to ensure compliance with HIPAA regulations.
- Encryption technologies or secure messaging portals can successfully protect email in transit. Encryption makes an intercepted email unreadable, while secure messaging portals combine encryption with secure access protocols that add additional layers of protection.
- Email archiving solutions can help organizations fulfill the requirements for access, integrity and audit controls, and make it easy to produce email for legal discovery or compliance audits.
What is a violation of HIPAA compliant email regulations?
Actions that may violate regulations concerning HIPAA compliant email and protected health information (PHI) include:
- Failing to protect PHI with encryption, secure messaging or other technologies that prevent unauthorized access.
- Emailing unprotected or unencrypted personal health information without patient consent.
- Sending email without a Business Associate Agreement with your email provider that ensures they are also in compliance with HIPAA.
- Failing to provide audit trails that document access and ensure integrity of email containing PHI.
Are outlook and Office 365 HIPAA compliant?
It depends. Email accounts on Outlook.com are not HIPAA compliant. Outlook within Office 365 can be HIPAA compliant if Office 365 is configured properly. And Outlook that’s installed as software on a laptop or desktop can also be HIPAA compliant, as long as your email service and the computer you’re using are HIPAA compliant as well. Microsoft Office 365 offers packages that support HIPAA compliance, but Office 365 alone does not provide all the controls (such as the maintenance of audit logs) that are required to be HIPAA compliant.
Is Gmail HIPAA compliant?
While Gmail itself is not HIPAA compliant, Gmail as part of G Suite can be HIPAA compliant with the addition of third-party encryption software.