2019 State of Email Security Report
Actionable steps to improve your organization’s email security and cyber resilience.
Comply with HIPAA encryption requirements with Mimecast
HIPAA encryption requirements create a significant challenge for IT teams charged with ensuring privacy and security in healthcare.
In 1996, the Health Insurance Portability and Accountability Act, or HIPAA, established a rule that all healthcare providers must ensure the privacy of protected health information (PHI). Since that time, email has become a dominant form of communication and is frequently used to share protected patient data. For IT organizations, complying with HIPAA encryption requirements means adopting some form of healthcare secure messaging technology.
The challenge for IT teams is ensuring all email meets HIPAA encryption requirements. A solution that enables healthcare providers to send HIPAA encrypted email is one thing; ensuring that patients and their caregivers outside the organization can send return messages that are encrypted is quite another. Most solutions designed to meet HIPAA encryption requirements involve burdensome administrative features or software that individuals must download in order to receive an encrypted message.
As a leading provider of solutions for email security, archiving and continuity, Mimecast provides an all-in-one solution that makes it easy for healthcare organizations to comply with HIPAA encryption requirements.
Mimecast's cloud-based subscription service enables healthcare organizations to reduce the cost and complexity of managing and protecting email while complying with HIPAA encryption requirements. As an SaaS-based solution, Mimecast can be implemented quickly and scale easily to accommodate changing business requirements.
Mimecast's comprehensive services enable organizations to simplify email archiving, ensuring email continuity even during outages, and to defend against a myriad of healthcare industry cyber security threats. In addition to meeting HIPAA requirements for email, Mimecast provides defenses against ransomware, spear-phishing and impersonation attacks that are commonly used to penetrate network defenses and steal patient information.
Mimecast's Secure Messaging service enables organizations to ensure healthcare privacy and security and to easily meet HIPAA encryption requirements. With Secure Messaging, users can simply click Send Secure when composing a message in their email client in order to ensure that the message is sent securely. After they press Send, messages and attachments are securely uploaded to the Mimecast cloud, scanned for malware and viruses, and stored in a secure AES encrypted archive. Recipients then receive a notice that a message is waiting, with instructions about how to log into the Mimecast secure portal to read, reply and compose new secure messages.
Mimecast Secure Messaging also allows organizations to automatically send messages that comply with HIPAA encryption requirements when they contain certain content or are sent to certain recipients or domains.
Learn more about Mimecast and HIPAA encryption requirements.
What are HIPAA encryption requirements for email?
The Health Insurance Portability and Accountability Act (HIPAA) establishes regulations for the privacy and security of protected health information (PHI). The HIPAA Security Rule requires organizations to restrict access to PHI, to protect PHI from unauthorized access, to ensure the integrity of PHI at rest, and to ensure 100% message accountability. While the rule does not set forth specific HIPAA encryption requirements, it does recommend that covered entities and business associates utilize end-to-end encryption when possible, but also allows organizations to adopt solutions other than encryption that accomplish the same thing.
How to meet HIPAA encryption requirements for email?
The two most effective technologies for complying with the HIPAA Security Rule are encryption and secure messaging. Encryption technologies encrypt messages before they are sent, making them impossible for unauthorized individuals to read them if intercepted or inadvertently leaked. Secure messaging solutions provide a platform where users may login to send and receive encrypted messages, adding an additional layer of access control to satisfy HIPAA encryption requirements.
What is a violation of HIPAA encryption requirements?
The most common violation of HIPAA encryption requirements is the failure to adopt adequate end-to-end protections for PHI. Another common violation is emailing protected health information from a healthcare facility to a personal email account, which happens when employees send files to themselves to work on at home. Lost or stolen devices that have unencrypted PHI on them is another common violation, as is disclosing PHI to third parties who do not have adequate encryption protections in place.
Does Gmail satisfy HIPAA encryption requirements?
Gmail is not a HIPAA compliant platform. Organizations wishing to use Gmail with a HIPAA compliant solution may use Google’s GSuite, which enables Google to sign a HIPAA Business Associates Agreement. However, because Google does not provide encryption, organizations will need to contract with a third-party provider to satisfy HIPAA encryption requirements.
Does Outlook satisfy HIPAA encryption requirements?
Microsoft offers several versions of Outlook, each of which have different capabilities for complying with HIPAA encryption requirements. Outlook.com, the free version of Outlook, is not HIPAA compliant and cannot satisfy HIPAA encryption requirements. Outlook within Microsoft Office 365 or Outlook that is installed on a desktop or laptop can be made HIPAA compliant with proper configuration, with a HIPAA Business Associate Agreement with Microsoft, and by using a third-party provider for encryption.