HIPPA compliance and email encryption.
Do you handle any sensitive client information, like Gmail, in your business? Are you using advanced security protections on your electronic communication? Many service providers do not realize that they may be required to maintain enhanced privacy protocols, even if they are only 2nd or 3rd party business associates of a medical or healthcare based entity.
You may think that your emails are secure and that you are taking reasonable precautions to guard client and sub-contractor communications. But, you may actually be in violation of federal law if you are transmitting certain kinds of information without meeting the specified security measures.
Protected Health Information Privacy & Security Rules
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established a set of national standards to protect the privacy and security of individually identifiable health information. The HIPAA Privacy Rule and Security Rule requires certain safeguards to maintain the confidentiality, accuracy, and availability of protected health information (PHI).
The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and adhere to procedures that protect the confidentiality of health information (paper, oral, and electronic) when it is transferred, received, handled, or shared. They also state that only the minimum health information necessary to conduct business should be used.
Who Must Meet These Standards?
Any organization dealing with PHI must adhere to these administrative, physical, and technical security measures. This includes covered entities (who provide first-hand healthcare treatment, payment, and operations) and business associates (with access to patient information, but mostly providing second-hand support to covered entities).
Even if you are using a third-party service to transmit or host PHI, such as an email provider, HIPPA requires you to sign a Business Associate Agreement (BAA) with that service. The BAA establishes that these business associates will protect confidential patient information with the same high standards established for covered entities.
The reasonable safeguards required by HIPPA for email include encrypting patient-bound email, securing stored emails and attachments, and verifying recipients’ identities before disclosing personal information.
Gmail and HIPPA Compliance
If you are one of the literally 1BILLION people on the planet using Gmail as your email provider, you may want to take a minute and give some thought to the kind of information you handle regularly. Mandatory security standards don’t just exist in the healthcare field, they also apply to many financial and government communications. Don’t make the incorrect assumption that your Gmail constitutes secure communication. Especially if you exchange any kind of sensitive data in the course of your business.
Gmail does not encrypt emails by default. Google specifically states that individual users are responsible for determining if they need to maintain HIPAA compliance. They add that customers who have not entered into a BAA shouldn’t share PHI using Google services. Protecting sensitive data is the explicit responsibility of the individual user.
Further, Google does not offer BAAs to free Gmail users. They also scan email messages stored in Gmail accounts for advertising purposes. Therefore, Gmail is not a HIPAA compliant solution. They do make a BAA available to paid Google Apps users, but entering into this BAA does not instantly make your account HIPPA compliant.
Google’s BAA is fairly vague, simply stating that they will do what is necessary to ensure the privacy and security of the data they hold in a reasonable time frame. While you agree to take “appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI.”
Google also offers no guidance about what you should or should not do for HIPPA compliance. In short, even if you are paying for Google Apps they need to be configured correctly to meet HIPAA requirements. You can be spending a lot of money on Google services and still be non-compliant.
FROM GOOGLE about Protected Health Information
Administrators for Google Apps for Work, Education, Government, and Google Apps Unlimited domains must review and accept a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Apps Vault services.
Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.
We have published our Google Apps HIPAA Implementation Guide to help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with Google Apps.
Google does have a message encryption solution called Google Apps Message Encryption (GAME). It provides a mechanism that allows sending secure messages to anyone by requiring them to pick up these messages from a secure web portal. It also allows others to send secure messages to you. But, it costs roughly $3/user/month and there is a 100 user minimum, so it’s not exactly low cost. Many users also find GAME cumbersome as the encrypted messages are stored and retrieved from an online portal – which requires extra time and clicks to communicate, an additional login/password, and separate areas for secure and non-secure email.
Third Party Email Encryption
Gmail users might rather consider a third party solution to email encryption, such as Zix. ZixGateway is a policy-based email encryption appliance that delivers simple, secure management of Email Encryption Services. Sitting on the edge of your network, ZixGateway inspects all outbound email to ensure they adhere to your chosen policies. With full content scanning of the subject line, message body, and attachments, ZixGateway can encrypt, route, block, or brand outbound email based on corporate policies. It automatically ensures compliance for email communication without requiring special training or procedures for employees.