Protected Health Information, File Sharing and Email

HIPAA featured

Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are. 

However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email just doesn’t cut it. Here, we’ll discuss how to effectively use email to engage with patients without breaking compliance.


HIPAA Regulations for PHI

HIPAA regulations revolve around securing the privacy and confidentiality of Protected Health Information (PHI). While the entirety of the law defines practices and requirements to this end, four specific rules are incredibly important for the purposes of discussing email and file sharing. 

These four rules are:

  • The Privacy Rule: This defines PHI in terms of any information related to patient care, payment for that care or identifying characteristics that link patients to specific treatments. This Rule additionally defines the primary parties that fall under HIPAA jurisdiction–namely, Covered Entities (hospitals, doctors, insurance providers, etc.) and Business Associates (vendors and third parties that handle PHI as part of their contracts with Covered Entities). 
  • The Security Rule: The Security Rule defines the responsibilities that CEs and BAs have to protect PHI. While this rule does not lay out technical requirements for security or compliance, they do lay out the overall efforts healthcare organizations must reasonably implement to maintain security. The more technical aspects of this rule are supported through external regulatory documents like NIST Special Publication 800-63.
  • The Breach Notification Rule: This rule defines the relatively strict reporting and notification protocols that CEs and BAs face in a data breach. These reporting obligations include providing several layers of communication to reach affected patients, notifications to government agencies, and potential disclosures to local media outlets. 
  • The Omnibus Rule: The Omnibus Rule came into effect in 2013 and fundamentally altered the criteria of special HIPAA requirements to match emerging technologies and threats. Most importantly, this Rule stated that BAs handling PHI takes on full accountability under HIPAA, like their CE counterparts. This rule also adjusted cybersecurity rules and penalties for non-compliance. 

These rules are the most relevant when discussing file sharing and emails containing PHI. 


The Problem of Email, File Sharing and HIPAA


One of the major challenges of providing information to patients is that your organization must maintain privacy and confidentiality regardless of the communication channel. Unfortunately, most common forms of sharing information (email, file-sharing platforms, etc.) aren’t secure out of the box. 

Adding to the challenge of sending data securely, you cannot guarantee that your patients use secure technology themselves. While this may seem like the patient’s responsibility and not the business, it’s enough to know that HIPAA does not see things in that same light

The reality is that encrypting emails isn’t enough–HIPAA also requires that healthcare providers restrict PHI access, monitor PHI’s movement, and ensure PHI integrity, all of which are near impossible without 100% control over how communication technology is used. 

For example, when it comes to email, there are several options that your organization might consider:

  • Encryption: Typically, most email providers will offer some form of in-transit encryption via Transport Layer Security (TLS). However, relatively few provide end-to-end encryption using a public-key solution, and those that do are not the most popular types of email. This is an important distinction because, without end-to-end encryption, you cannot guarantee privacy or protection for the entirety of the data’s journey and, subsequently, open yourself to non-compliance challenges. 
  • Secured Servers: If you use on-prem email, or specialized email provision through a HIPAA-compliant provider, then at the very least, you can rest easy that internal emails are compliant and secure. However, this doesn’t necessarily address the issue of reaching patients through external email and only solves half of the problem. 
  • Secure File Sharing Platforms: Many providers have turned to secure file sharing, where patients must log into a portal to access information on a secure server. Under this approach, the data is protected on the server, user activity is logged via IAM and auditing tools, and the user is responsible for protecting their data on their end. This approach to PHI sharing and protection has gained much traction because it allows providers to maintain compliance without compromising information sharing with patients. 
  • Password-Protected Files: Certain files, like PDFs and .zip archives, can be password protected, and in theory, this means that the patient would be the only part with access to PHI contained in those files. However, passwords are, overall, a weak form of security, especially when used as a single-factor authentication solution. If a hacker intercepts an email and steals the file, it’s relatively trivial to brute-force the password and accesses the data–a clear violation of the Security Rule. 


Best Practices for Email and HIPAA

While there are several pitfalls to using email to communicate with patients about their healthcare, it would be silly to avoid the medium altogether. It’s far too common and important a media channel to ignore to avoid using it to the detriment of your patients. 

With that in mind, there are several key best practices that you can follow to maintain security and compliance while emailing patients:

  • Use Secure Servers for File Sharing: Your organization cannot control technology outside of your perimeter, but you do have complete control over your technology–or, at least, over the vendor technologies (like cloud platforms). Using technology you can control, you can completely avoid compliance issues so long as you force users to interact with those technologies. 
  • Use Secured Links Over Email: The best way to force users into your technology perimeter is to use secure links. Almost every file-sharing platform provides secure link sharing, allowing one user to send a private link to another. Accordingly, use link-sharing systems where the sharing of PHI requires your patients to click a link, enter authentication credentials into a secure portal, and access a secure file server. This solution is incredibly flexible because you can send links over email–links aren’t PHI, and if an email is stolen or read, the attacker would still have to breach your compliant servers to access PHI. 
  • Use Cloud Systems for Auditing and Documentation: The last and most significant bonus of secure sharing servers and emailed links is that they provide the ability to log all activity. User authentication, file access, file downloads, and more are all under your control on the file-sharing server. Furthermore, you can track how the user reaches your portal interface and when by tracking link traffic. 


Ensure Secure Servers for HIPAA Compliance with Continuum GRC

The best foundation for a PHI-sharing system is to have compliant, secure technology on your side. This means that you have to have robust and ongoing compliance auditing and risk management to meet your obligations to both regulatory organizations and patients. 

With the Continuum GRC, you can unify and centralize your HIPAA compliance and risk management to ensure that all your systems are secure, including patient-facing communication portals. 


Worried About Sharing PHI with Patients?

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • IRS 1075
  • ISO 27000 Series

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC