Although considered by many to be the sole concern of health care providers, the Health Insurance Portability and Accountability Act (HIPAA) affects nearly all companies that regularly transmit or store employee health insurance information. HIPAA was signed into law in 1996 and it's original purpose was to protect employee health and insurance information when workers changed or lost their jobs. As use of the internet became more widespread in the mid-1990s, HIPAA requirements overlapped with the digital revolution and offered direction to organizations needing to exchange healthcare information. HIPAA regulations apply to any establishment that exchanges individually identifiable healthcare information.
Collaboration between healthcare professionals, their colleagues, their patients, and employers has grown progressively more digital, and e-mail has played an ever-increasing role in this communication. In the process of this development, the need for information security and privacy has created an impediment to widespread adoption.
In addition to the usual concerns about privacy and security of e-mail correspondence, even organizations that are not in the heathcare industry must now consider the regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how e-mail containing PHI should be treated in the corporate setting. HIPAA, as it relates to e-mail security, is an enforcement of otherwise well-known best practices that include:
- Ensuring that e-mail messages containing PHI are kept secure when transmitted over an unprotected link
- Ensuring that e-mail systems and users are properly authenticated so that PHI does not get into the wrong hands
- Protecting e-mail servers and message stores where PHI may exist
Organizations regulated by HIPAA must comply and put these practices in place. However, the need to comply with regulations puts particular pressure on the healthcare industry to enhance their use of technology and “catch up” with other industries of similar size and scope.
The privacy protection provisions in HIPAA pose a major compliance challenge for the healthcare industry. These provisions are intended to protect patients from disclosure of any of their individually identifiable health information. Organizations that fail to protect this information face fines ranging from $10,000 to $25,000 for each instance of unauthorized disclosure. If the disclosure is found to be intentional, HIPAA provides for fines ranging from $100,000 to $250,000 and possible jail time for individuals involved in the violations.
Starting April 21, 2005, a new security rule focusing solely on PHI that is stored and transmitted electronically will be enforced as part of HIPAA. The requirements of this rule, which are simply information security best practices, focus on the three cornerstones of a solid information security infrastructure – confidentiality, integrity, and availability of information.
The imminent HIPAA regulatory requirements encompass PHI transmission, storage and discoverability. Given the widespread use and importance of e-mail, enforcement of HIPAA encryption policies and the growing demand for secure e-mail solutions, e-mail security has never been more important to the healthcare industry than it is right now.
IronMail significantly contributes to compliance with the HIPAA privacy and security requirements as they relate to protecting PHI that is transmitted and stored via e-mail. Everything from data encryption to firewall and intrusion protection to content filtering is included in the IronMail solution. Once in place, IronMail can be used to protect e-mail going into and out of corporate networks.
As IronMail is a standards-based appliance, it can be integrated into any existing e-mail system seamlessly, without requiring extensive IT staff training, or relying on users to take extra steps to perform e-mail functions.
The IronMail appliance is tailored to help organizations comply with the stringent new guidelines imposed by HIPAA, from security management processes to access control to data integrity.
HIPAA compliance is seen by many organizations as a prohibitively expensive hurdle to overcome. In addition, the growing dependence on e-mail as a mission-critical application requires security and privacy to be a top priority. A solid combination of security policies and the technologies to enforce those policies can ensure improved security as well as HIPAA readiness and ongoing adherence. With IronMail, organizations reduce information complexities as well as associated management costs which can help improve patient relationships, increase the quality of care, and improve the bottom line. E-mail can indeed be safe and secure.
About the Author
CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “Contributing to HIPAA Compliance with IronMail” or by visiting www.ciphertrust.com.