HIPAA (Health Insurance Portability and Accountability Act of 1996) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. The Act has introduced several new standards intended to improve efficiency in the healthcare industry.
Within the HIPAA framework, the Security rule focuses on the electronic protected health information (ePHI), setting national standards for the protection of an individual’s information that is created, received, used or maintained.
A report by EMC and research firm IDC, anticipates an overall increase in patient data by 48% annually. The report pegs the volume of healthcare data at 153 exabytes in 2013. At projected growth rates, that figure will swell to 2,314 exabytes by 2020.
So where does the use of Email concern PHI?
If you are an organization in the health care industry, then you store and use PHI for your work and to interact with patients, doctors and other health care companies or practitioners.
In many situations you may be required to transmit PHI using email, and thus your email solution needs to comply with HIPAA standards to protect the PHI carried on them.
The Health Insurance Portability and Accountability Act, or HIPAA, set out strict guidelines in 1996 for protecting patients’ personal health information as it is used, stored and shared. With the rise of email as a primary communication medium in the healthcare industry (actually any industry), HIPAA requirements for email stipulate that protected information must be encrypted.
Most organizations also need to archive their email for compliance or records. Thus the archiving solution, which stores this email for the long term, should also be HIPAA compliant.
Complying with HIPAA requirements for email is a critical but a challenging task for healthcare IT organizations. Email is a primary form of communication between health care providers, patients, other health care companies, and insurance companies, which makes it mandatory for healthcare organizations to comply with HIPAA encryption requirements for the email in transit and for the email at rest.
How does Vaultastic fit the bill for HIPAA compliance?
Ensuring HIPAA compliance for the archived email can be a challenge without an easy, strong and secure cloud based email archiving solution. The chosen email archiving solution should be easy to deploy, manage and simple to operate, without the users and admins having to learn complex operations for encrypting information.
For organizations seeking a highly secure, effective and cost-efficient solution for complying with HIPAA requirements for email, Vaultastic provides a cloud-based email archiving service that simplifies and ensures HIPAA IT compliance.
The table below, demonstrates how Vaultastic fulfills the Technical Safeguards requirements of the HIPAA rules and also mentions exceptions in this compliance with suggested workarounds.
HIPPA Technical safeguard requirements
How Vaultastic addresses this requirement
|Access Control||Unique User Identification (required):|
Assign a unique name and/or number for identifying and tracking user identity.
|Each user in the system is uniquely identified with a user id and has the user’s primary email id associated with the object. All Access to the archived email is by an authenticated and authorized user id, which helps to keep track of each user’s activity.|
|Access Control||Emergency Access Procedure (required): |
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
|Vaultastic’s ediscovery console can pull up email, which may contain PHI, very quickly in an emergency. |
This search works across mailboxes, and reduces the need to go hunting for the relevant email in individual mailboxes.
The ediscovery works deep and can find mail on the basis of words in the content of the email.
|Access Control||Automatic Logoff (addressable):|
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
|Yes, a timeout, which terminates the web session of users after a period of inactivity, is built into the security protocols of Vaultastic.|
|Access Control||Encryption and Decryption (addressable): |
Implement a mechanism to encrypt and decrypt ePHI.
|Vaultastic ingests, exports and allows access to email based on the principle of “Encrypted in transit” to maintain data security. During the process of transport of all email, a secure channel is established between the requester and the server. The email is encrypted at source and decrypted at the destination.|
|Audit Controls (required)||Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.||Vaultastic stores an audit trail of all activities done by users pertaining to searching for email (potentially containing PHI), exporting the email, and downloading email from the platform.|
|Integrity||Mechanism to Authenticate ePHI (addressable): |
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
|All email (potentially containing PHI) are stored in tamper proof vaults in Vaultastic and are immutable by design. |
Vaultastic does not even provide a delete option to any user or administrator.
|Authentication (required)||Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.||All access to Vaultastic accounts is secured by a complex password, controlled by strict password policies and carry a long term audit trail, which ensures that the users can only access their own accounts. |
To add another layer of security to the authenticated access, Vaultastic will soon release a 2 factor authentication upgrade.
|Transmission Security||Integrity Controls (addressable): |
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
|All data is transmitted in an encrypted form. This ensures the integrity of the data between the two points of communication.|
|Transmission Security||Encryption (addressable): |
Implement a mechanism to encrypt ePHI whenever deemed appropriate.
|All ingestion of email, downloads of email, forwarding and replies to the email from the Vaults, and access to the vaults happens over a secure encrypted channel.|
How does Vaultastic being on AWS support your HIPAA compliance efforts?
Vaultastic is hosted on the AWS cloud, which enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information.
Mithi, as a SaaS AWS partner, has signed a Business Associate Addendum (BAA) with AWS. We have architected our solutions such that all sensitive email data (potentially containing PHI) is stored only on the HIPAA eligible AWS services listed in the BAA.
For organizations seeking a highly secure, effective and cost-efficient solution for complying with HIPAA requirements for email, Vaultastic provides a cloud-based email archiving service, which provides specific solutions to each HIPAA technical safeguard requirement and uses the HIPAA eligible services of AWS (as defined in the BAA) to store sensitive information.
Note: Vaultastic, although is an email archiving platform, supports the common functions of FORWARD and REPLY for an archived email from the self service portal of the user. Currently at the point of writing this blog post, it’s not possible for a Vaultastic user, attempting to forward or reply to an archived email, to digitally sign and encrypt a mail ONLY MEANT for an intended set of recipients.
Thus, for strict HIPAA compliance, we recommend that the forward, reply options of Vaultastic be switched off for users and instead they can download the relevant mails containing the PHI and send it to the intended recipients using PGP or the encryption/signing capability of the primary email platform.