In the digital age, emails are sent by the millions every day around the world. Some people worry about the level of security offered in that digital parcel, as evidenced by numerous outcries in the wake of privacy invasions. People want to know that their personal correspondence is secure and safe from prying eyes. In the years since email became a primary means of communication, numerous safeguards have been developed and implemented. One of the most notable safeguards is HIPAA, the Health Insurance Portability and Accountability Act.
You might wonder what health insurance has to do with email security. Email is a form of communication that has become integral to the transfer of (often sensitive) information. HIPAA was designed in 1996 to protect sensitive information like health insurance and other protected health information (PHI). When hospitals and insurers began transmitting information via email — which is far more efficient and considerably faster than physically delivering it — they needed to make certain it was secure. HIPAA then spawned two parts: The Privacy Rule and The Security Rule.
The Privacy Rule, known officially as Standards for Privacy of Individually Identifiable Health Information, standardized the protection of certain information related to healthcare. The Security Rule, known as Security Standards for the Protection of Electronic Protected Health Information, enforces the privacy rules by setting standardized security for the protection of PHI, especially that which is transmitted electronically (ePHI). The Security Rule addresses the need for both technical and non-technical safeguards regarding “covered entities” in the Privacy Rule. These safeguards put the security of a patient’s health information as a top priority.
The Security Rule was not designed to prevent the transmission of sensitive data via electronic means, rather it was designed to secure the transmissions. This security started with standards for access control, integrity, and transmission. The standards regarding transmission were later updated to enforce encryption. Encryption essentially scrambles the data sent in an email so that if it were intercepted, it would be unreadable. The enforcement of encryption makes the covered entity assess its options on the current network, choose a “path” that is designated as secure based on the security protocols, then document the decision to take this path.
The HIPAA Privacy and Security Rules were updated in 2010 with the passing of the HITECH Act. HITECH, or Health Information Technology for Economic and Clinical Health, which stiffened the penalties for breaching the security of emails transmitting health information. Initially, the penalty was $250,000, but HITECH bumped that up to $1.5 million. In 2013, the Department of Health and Human Services (HHS) implemented a “final rule” called the Omnibus Rule that increases the privacy and security protections under the HITECH Act and HIPAA. It increases privacy protection, new rights regarding health information, and lends power to the government to enforce the laws regarding email security and HIPAA.