What to consider when developing and shipping HIPAA compliant software? (Part 2 – Email communications)
Can email communications be HIPAA compliant?
As we discussed in the previous article, there are technical safeguards which must be followed by the companies when developing custom software for medical and healthcare or pharmaceutical industries.
Some modern applications, regardless of their platform (web applications, mobile applications or desktop applications) choose email to transfer sensitive data between parties. Email services are usually chosen due to widespread usage, ease of access and fast implementations. In this post, the minimum requirements to use Email and remain HIPAA compliant is explained.
Define email policies and workflows
Before getting into technical challenges and requirements to make Email service HIPAA compliant, the company must first define its internal policies and train the employees to follow the policies. A part of these policies can be enforced by the mail server systems (i.e. ask the users to change their password every two months) but a major part of it is best practices which should be followed by the employees. Usually, a security or a privacy officer monitors and oversees the implementation of these policies. The followings are a few examples that should be drafted into security and privacy policies:
- Clean desk policy
- Data forward and privacy policies
- Encryption policies
- Password format requirements
- 2-Step authentication policy
- Physical access to computers policy
- And more
According to HIPAA, there are five main provisions which we believe can affect Email communication.
1- Access Control
It is mentioned in HIPAA section 164.312(a)1 that the Covered Entity has to Assign a unique name and/or number for identifying and tracking user identity.
This means that all of the users who are using your custom software or platform should have unique usernames and email id. People cannot share usernames and passwords for the same email accounts. In addition, you need to make sure that the users of your application are getting enough training when using your application to transfer PHI data via email.
Any mobile or web application has to Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (HIPAA section 164.312(d)
In development language, this means implementing rule-based access control and proper authentication. As always, the entity should control and monitor users’ access to ePHI. On the other hand, it also implies that the data should be secured both in transit (i.e. between mail servers) and in storage (the server which stores the emails).
The Covered Entity must “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction”.
This section adds an additional safeguard to the authentication section. It means although you make sure that access to the email account is protected by unique usernames and emails, the organization has to protect not only the PHI data but also employees and users’ credentials.
So if you’re using a mail server you need to make sure that the messages are being encrypted and no one other than senders and receivers can get access to it.
4- In transit security
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network, ” In addition “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
In technical terms, the organization needs to use some measures like Secure Socket Layer (SSL) technology to establish encrypted links between its private network and outside network (like other mail servers) which can be used by normal users, patients or other organization who might have access to the patient’s data.
5- Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
This means that your mail server should log and keep the session logins to the server. This includes login credentials, date and time, ip addresses and etc. In case of a data breach in your email server, the logs considerably help the auditors to investigate vulnerabilities, data access levels and the amount of potential leaked data.
Should we encrypt all the messages we send to our colleagues internally in our organization?
According to HIPAA, the messages sent between employees with a secure server do not need to be encrypted since your workforce is part of the “Covered Entity” and is authorized to send and receive data and view confidential electronic Protected Health Information (ePHI)
Are common Email services, such as Gmail, HIPAA compliant?
In practice, you need to have a signed Business Associate Agreement with the provider to be able to use them as HIPAA email service providers. The agreement includes many sections including the followings:
- The amount of PHI data the provider (business associate) is allowed to disclose
- The required implemented safeguards details (security, encryption techniques, etc.)
- The provider should release the information if a patient asks for it
- The use of data being limited by the contract or governing law
- Deleting the PHI after the end of the contract
Regular Gmail accounts do not come with signed BAA, however, if your organization is willing to pay for G Suite (Gmail for businesses) you can sign a BAA with Google. Another concern is that Google can read your account for advertisement purposes which is against the HIPAA regulations.
In terms of security, most of the major email providers are following the best practices and they are compliant with the minimum security requirements mandated by HIPAA.