One of our HIPAA clients/customers asked the following question through our Veterans Press website: “We have clients’ identifiable information that needs to be sent via email. How can we make sure we are doing all that we can to keep the email secure and cover ourselves without specific encrypted email? Do we need to have the clients sign a release stating possible risk, they accept the risk, and so forth?”
Jon: The Privacy Rule lets the covered entity or business associate determine whether encryption is reasonable and appropriate and consequently required. I might well make it required for all email, but I’m not the Secretary of DHHS. As I teach in my HIPAA seminars, because encryption is easier and cheaper now than it was a few years ago, it will likely be found to be reasonable and appropriate in most situations. Cover the issue thoroughly in your risk analysis.
Brent: Ultimately, the health organization should be thinking about what is best for the patient and, at the same time, weigh that thought against whatever they can do to minimize the risk to their organization from any threat, whether technical, physical, financial, or otherwise. Because encryption is relatively cheap, I recommend that they just do a blanket encryption for all email or at the very least have it auto encrypt based on certain words or characters, such as when the system sees a credit card or SSN. These features are available with email encryption.
Some considerations when deciding whether blanket email encryption would be reasonable and appropriate, as opposed to partial email encryption, include these: training staff on when to use it and not to use it; having someone keep track of it and check for unencrypted EPHI emails; maintaining and checking the logs; not realizing when the government changes the law and makes something that previously had not required encryption now require it. It only makes financial sense to me that they just institute blanket email encryption across their entire staff and then not worry about it.
As an aside, please note that, in the event of a breach, a complaint, an investigation, or an audit, DHHS might frown upon the practice of not encrypting email and at the same time trying to require patients to relinquish their rights in case the health organization makes a mistake or just to save the company a few dollars. In other words, consider the entire picture and not just one or two aspects of it in your risk analysis and subsequent search for the reasonable and appropriate solution in your situation.