Email Encryption and HIPAA
HIPAA and HITECH Regulatory Requirements
In order to ensure the privacy of patients’ electronic Protected Health Information, or ePHI, the U.S. government passed legislation to protect individuals’ medical records and other related personal data. The HIPAA “Privacy Rule” requires appropriate safeguards be in place to prevent unauthorized release of personal health information.
In conjunction with these standards for privacy, the HIPAA “Security Rule” establishes a set of standards to protect ePHI, with administrative, physical and technical controls to secure the confidentiality of patient data.
Regular email not in compliance
Since standard email communications are sent in a form that can be read by anyone with access to the network or the servers along the way, this regulated information should not be sent without some form of encryption. In some organizations, auditors or compliance departments do not allow the use of email for patient communications of any medical information, as a way to comply with HIPAA. Others have implemented complex “portals” where patient information can be exchanged, requiring healthcare professionals to upload each message, and then patients must go to a dedicated system to authenticate themselves and access the message.
Portals trade convenience for security
While these systems are one way to achieve compliance, they are much more cumbersome -- both for providers and for patients -- than the email systems we all use every day. The convenience of email, with quick access from desktop and mobile devices, allows healthcare providers to interact most efficiently and effectively with patients, but it must be done while protecting patient privacy.
Achieving HIPAA Compliance with Enlocked
By encrypting email messages between healthcare providers and patients -- or between providers and other business associates -- email can be used in a HIPAA-compliant manner. However, it is also important to understand how the email encryption is done. Depending on the architecture of the solution chosen, your HIPAA auditors may require that you sign a business associate agreement if the email solution is storing patient data.
Since Enlocked does not see or store any of your messages (see: how it works), by encrypting messages locally which are then stored and sent securely using your own email infrastructure, Enlocked can help you meet HIPAA / HITECH requirements without the need for a Business Associate Agreement (BAA).
Our service runs on a SAS 70 compliant vendor platform, and our own policies and procedures are designed to meet or exceed the requirements of the HIPAA Security Rule. Should your auditors or compliance department wish to understand more about our systems or architecture, please contact at us using our support form.
Try it Out
See how easy it is to send and receive secure email from the browser, your desktop, or your mobile device.Send a Test Message
Download the Enlocked App for your mobile device to read & send secure email on the go.Download Enlocked App
Integrate Enlocked into your email client for easy, one-click convenience. Download Enlocked plugins now!Get Enlocked Plugins