HIPAA Compliance Email Encryption Rules

A simple guide to the HIPAA compliance email encryption rules for ensuring the confidentiality and integrity of electronic protected health information sent via email.

What are the HIPAA Compliance Email Encryption Rules?

The HIPAA compliance email encryption rules can be found in 45 CFR § 164.312(a)(2)(iv) and 164.312(e)(2)(ii). Very little text is included in the HIPAA Security Rule regarding encryption, and further, encryption is listed as an addressable specification, which can lead people to think that it is not a required aspect of HIPAA compliance, when that is not the case. 

The technical safeguards of the HIPAA Security Rule state under the implementation specifications that regulated entities must “Implement a mechanism to encrypt and decrypt electronic protected health information.” Under the transmission security standard, regulated entities must “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” § 164.304 defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

It is important to clarify the terms “addressable” and “required” regarding HIPAA compliance. Required is quite clear. If an implementation specification is required, it must be implemented. The term addressable is used to provide a degree of flexibility for complying with certain standards. If a standard is addressable, as is the case with encryption, it means HIPAA-regulated entities can either:

  1. Implement the specification
  2. Implement one or more alternative security measures that achieve the same purpose, if it is reasonable and appropriate to do so
  3. Not implement the specification or an alternative, if it is unreasonable and inappropriate to implement it

Regardless of the decision taken, the choice must be documented, and if the decision is taken not to implement the specification or to implement an alternative, the reasons why that decision was made must be documented to explain why the addressable implementation specification is unreasonable and inappropriate. The results of the risk analysis, and the facts upon which the decision has been based, must also be documented. 

It is only possible to make such a determination by conducting a risk analysis and ensuring all risks relevant to the specification have been reduced to a reasonable and appropriate level. As far as email encryption is concerned, the lack of encryption could be due to policies that prohibit the sending of ePHI via email, as other methods of data transfer are used.

Types of Encryption

The HIPAA compliance email encryption rules do not state which methods of encryption should be used. HIPAA was written to be technology agnostic, as otherwise rule changes would be required every time technology changes. For instance, certain encryption algorithms that were deemed appropriate in the early 2000s when the HIPAA Security Rule took effect have now been deemed not to be sufficiently robust. The latest advice on the best encryption algorithms to use can be obtained from the National Institute of Standards and Technology (NIST) – NIST Special Publication 800-52. Sending emails that are encrypted to a standard lower than recommended by NIST means the ePHI is unsecured, and any ePHI transmitted would violate HIPAA.

When it comes to email encryption, Transport Layer Security (TLS) is commonly used. This is a cryptographic protocol that protects emails in transit from mail server to mail server. TLS is used by many email service providers to encrypt emails in transit to prevent unauthorized access and it supports the use of digital certificates to authenticate receiving servers but does not encrypt data at rest. TLS encryption may also fail if the recipient server or carrier does not support TLS encryption. True end-to-end encryption offers greater security, as emails are encrypted at rest and in transit, and messages can only be decrypted by the intended recipients if they authenticate to decrypt the emails. 

It is important to remember that simply implementing encryption is not sufficient, by itself, for HIPAA compliance. Email encryption must be enforced, and it is necessary to enter into a business associate agreement with the provider of encrypted email.