AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Just as the method of encryption is not specified in HIPAA to take into account advances in technology, it would not be appropriate to recommend a form of encryption on this page for the same reason. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.Įncryption is an important element of HIPAA compliance for email, but not all forms of encryption offer the same level of security. A risk management plan must then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. It is therefore necessary to conduct a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. That applies to data and rest and data in transit.Ī covered entity must decide on whether encryption is appropriate based on the level of risk involved. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. It should be noted that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.Īs previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI. (*) HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall. So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email. Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.įurthermore, some required functions – such as the creation of an audit trail and preventing the improper modification of PHI – are complex to resolve. However, HIPAA email rules do not just cover encryption. Some HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. Protect PHI from unauthorized access during transit.Ensure 100% message accountability, and.HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security have to be fulfilled in order to: Of particular relevance is the language of the HIPAA Security Rule which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*). HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. HIPAA Compliance for Email Are Emails HIPAA Compliant?
0 Comments
Read More
Leave a Reply. |