HIPAA, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that covered entities must not use or disclose electronic Protected Health Information (e-PHI) without proper authorization.
HProtected Health Information is all Personally Identifiable Information that is held or transmitted by a covered entity or a business associate. This includes:
- Written information
- Information stored in computer systems
- Information transmitted orally
Generally speaking, TLS Encryption for email refers only to the encryption of the transport between two sites. The sites must both support it and the default for both mail servers must be to use it, unless both sides are specifically set to use it when talking with each other. However this has nothing at all to do with the storage of the email.
Generally speaking, there is no safe way to send HIPAA data in the body of an email. The only way to do it would be to encrypt the data ahead of time, attach the encrypted file to the email, then have the recipient decrypt it.
TLS is not an encryption standard for at-rest data like AES would be. TLS is only transport-level encryption.
So when is TLS encryption HIPAA-compliant? When it is level 1.2 or greater and only for the duration of transport from site to site. Not before and not after.
Another example is looking at a web page. If it is an HTTPS link then chances the data was sent from the server to you using TLS 1.2 or greater. It does not mean the the data was encrypted on the server, and it certainly does not mean that it is encrypted in your browser because you are looking at it.
A proper Risk Assessment identifies and asses vulnerabilities in your office that would make your patient data susceptible to a breach or corruption of data. This correlates with the three pillars of HIPAA: Accessibility, Integrity and Security. Therefore you must be examining both the technical AND physical securities and limitations in your office.
- Each of your practice locations has a method for you to access your data. This means each location is a portal to patient information that we must safeguard.
- Each of your practice locations has it’s own set of computers, routers, firewalls and technical equipment.
- Each of your practice locations has its’ own physical location, physical security and physical risks.
- Each of your practice locations may have its’ own associated employees.
The Risk Assessment looks at all the risks for the individual location and provides you with a Risk Mitigation plan that is specific to the location.
There have been incidents in the past where an organization had a HIPAA Incident and upon investigation it was discovered that the Risk Analysis was not specific for the location. Consequently, the organizations experience large fines.
If a patient does not give you permission to give information to their spouse, under HIPAA you CAN NOT share information with the spouse. To do so would be a HIPAA violation.
Patients have a right to a copy of their medical records even if they have a balance. Failure to provide a copy of the medial records would be considered a HIPAA violation.