ePHI E-mail Necessities
All businesses that deal with electronic protected health information are subject to HIPAA compliance regulations, whether they are covered entities or simply handlers of the electronic information. The same rules that apply to healthcare providers and clearinghouses apply to anyone who has access to the information, even business associates, so it is very important to know what the Health Insurance Portability and Accountability Act requires.
Simply encrypting the clinic’s email is not adequate to be in compliance. A Covered Entity must be able to control access and authenticate users, to protect electronic messages from beginning to end, and to create and maintain records of all transmissions of protected ePHI. Below are the five main HIPAA Email-Security Provisions:
1. Access Control
“Assign a unique name and/or number for identifying and tracking user identity.”
Under no circumstances is it acceptable to share log-in information.
2. Person or Entity Authentication
“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Only necessary users are allowed to access ePHI data. Only the intended recipients (e.g., your authorized staff members) are allowed access so it must be secured and encrypted at all times.
“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
Unauthorized third parties shall not be able to access, alter or destroy data during storage or delivery.
4. Transmission Security
“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network, ” and to “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
SSL-based encryption for any ePHI transmitted out of your network. This includes insurance companies, patients and third-party users.
5. Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Detailed login audit trails and all sent and received messages must be produced.
It is important and necessary to fulfill all of these requirements, and to keep up with ever-changing laws concerning ePHI security. The most cost-effective way to ensure your clinic is compliant is to speak with your Randy Whipple. He has the tools and experience to certify your organization’s compliance, and are a one-stop shop for security, encryption and cloud services.