There are five (5) specific HIPAA requirements as related to email:
- Access Controls: A covered entity must implement technical policies and procedures limiting access to systems containing electronic protected health information (ePHI) only to personnel with sufficient access rights. (164.312 (a)) The Access Controls specifications include:
- Audit Controls: A covered entity must implement software that record and examine activity in information systems that contain or use ePHI. (164.312 (b))
- Having Unique User Identification.
- Having an Emergency Access Procedure.
- Having Automatic Logoff Process
- Having Encryption and Decryption Process
- Integrity: A covered entity must implement policies and procedures to protect ePHI from improper alteration or destruction. (164.312 (c)). This includes having a mechanism to authenticate ePHI.
- Person or Entity Authentication: A covered entity must implement procedures to verify a person or entity accessing ePHI is the one claimed. (164.312 (d))
- Transmission Security: A covered entity must implement technical measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (164.312 (e)). This includes having integrity controls and encryption.
More HIPAA Compliant Email Hosting requirements
- According to HIPAA, any company that handles medical records is considered a ‘Business Associate’ and would need to sign a Business Associate Agreement (BAA).
- HIPAA Vault signs a BAA for all HIPAA clients.
- Using a HIPAA compliant email solution from HIPAA Vault ensures that all emails dealing with ePHI are only accessible by entitled covered entities.
- Train and re-train your medical staff who have access to ePHI and all medical records on updated HIPAA procedures regularly.
Consult the entire HIPAA Security Rule for more information!