The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established physical and technical guidelines for safeguarding the privacy and security of Protected Health Information (PHI). PHI is defined as any information about health status, provision of health care, or payment for health care that can be linked to an individual. The 18 defined Protected Health Information identifiers include names, phone numbers, social security numbers, full-face photographic images and more. Safeguards cover a broad spectrum, from the definition of an emergency mode operations plan, to the physical security of the building storing PHI, to the automatic termination of an electronic session after a predetermined time of inactivity. HIPAA also requires encryption to be utilized when PHI flows over open networks. This is why to comply with HIPAA, email needs to be encrypted when it includes any of the 18 defined PHI.

 

HIPAA documentation references the need for encryption directly, citing it as a technical safeguard in section 164.312(a)(2)(iv): "Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information." The U.S. Department of Health and Human Services (HHS) explains in their HIPAA Security Series that "as business practices and technology change, situations may arise where EPHI (electronic Protected Health Information) being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities." Included in the specifications for encryption, both the sender and receiver must use the same or compatible technology for HIPAA email compliance.

 

HIPAA enforcement took center stage in 2009 with the American Recovery and Reinvestment Act (ARRA). The Health Information Technology for Economic and Clinical Health Act (HITECH), a component of ARRA, significantly broadens the reach of HIPAA to cover companies that do business with organizations that manage PHI. Business partners of HIPAA-compliant entities, as well as companies that have defined roles in the handling of PHI (maintaining, storing, and/or destroying the information) now have HIPAA email compliance obligations.

 

Preventing data breaches is a key component of the HITECH Act. Companies are required to notify a media outlet when a security breach of a certain magnitude occurs. In cases where more than 500 people are affected, health care providers and other HIPAA-covered entities must promptly inform individuals without reasonable delay (but in no case later than 60 calendar days) after discovery of the breach, except in special circumstances. Data breaches with less than 500 affected must be reported to the HHS annually.

 

With the HITECH Act, penalties for HIPAA compliance violations have become heftier. Prior to the introduction of the HITECH Act, the maximum penalty for HIPAA violations was $100 for each violation or $25,000 for identical violations of the same provision. The HITECH Act has increased the maximum penalty to $1.5 million for all violations of an identical provision. In addition, proceeds from certain civil fines will be transferred to HHS to be used for enforcement. Individuals and lawyers can now collect fines for violations of the HIPAA security rule, as well.

 

smarshEncrypt is an email and file transfer encryption service, that can be initiated as an organization-wide, systematic policy-based encryption solution or manually by the sender.

 

Using Smarsh’s proprietary data-leak prevention engine, smarshDLP, administrators can establish corporate usage policies and automatically enforce the encrypted transmission of email and files that meet specified criteria. For example, messages featuring specific content in the body or in attachments, or to specific recipients, can trigger delivery via smarshEncrypt.

 

smarshDLP scans every email that is sent from your company, and takes action (before delivery) on those that match your specified criteria. These actions can range from stopping or delaying delivery to removing attachments to triggering delivery of specified emails through the smarshEncrypt secure messaging platform. The content filtering engine provides a systematic and automatic solution for preventing data leaks.