Email Protection Systems: What Do They Mean for Your Organization

October is Cybersecurity Month, making it an excellent time to look at what you’re doing to protect the data in your care. To guide you in this process, the Department of Health and Human Services (HHS) recommends ten practices that anyone handling ePHI needs to implement. The first recommended practice is email protection systems.

What Are Email Protection Systems?

Email protection systems are integral to keeping email communication secure. The HIPAA Security Rule requires safeguards to be in place before email can be used to transmit electronic protected health information (ePHI). 

For email to be HIPAA compliant, it must have:

• Integrity controls are measures that protect data from alteration or destruction. End to End data encryption protects information from unauthorized changes. 
• Access controls are measures that restrict access to data. Access controls allow administrators to grant permission to view ePHI. Restricting access to ePHI ensures that there is no unauthorized access.  
• Audit controls are measures used to track and record who accessed ePHI and when it was accessed. Audit controls are crucial to detecting unauthorized access to data quickly.
• Transmission security pertains to monitoring how ePHI is communicated by tracking who sends or receives ePHI. It also involves ensuring the integrity of PHI at rest. This refers to safeguarding ePHI stored on your network through encryption or a firewall.
• ID authentication is a means to identify the person(s) accessing PHI. This is accomplished with personalized login credentials.

The rules for secure emails differ based on if you’ll be sending an email through an internal email network or to an outside network. All emails sent externally, beyond your firewall, need to be encrypted. 

However, just because encryption isn’t required for emails sent over your internal email network doesn’t mean you shouldn’t encrypt. Before a healthcare organization decides whether or not to encrypt, they need to perform a HIPAA security risk assessment. 

A risk assessment allows a healthcare organization to assess if there is a threat to the integrity, confidentiality, or availability of ePHI. In addition, the decision of whether or not to encrypt must be documented to prove to the Office of Civil Rights (OCR) that you considered encryption and found that it wasn’t necessary.