If you’re even remotely connected to the healthcare industry, you have been, or will be, affected by the Health Insurance Portability and Accountability Act (HIPAA). This regulation mandates security and privacy in several areas, including the storage, access, and communication of sensitive or private healthcare information.

Firewalling, along with access controls that include authorization and authentication, are critical to HIPAA compliance, although email security is also a vital part of it. Healthcare organizations and covered entities, as well as patients themselves, often rely on email as an efficient way to communicate information. However, ordinary email may be inadequate.

It would be a mistake to neglect email in a HIPAA compliance initiative, and any incidence of exposed–or even potentially exposed–personal health information via email would result in a failed audit. HIPAA does not stop at stored medical records, it includes any sort of record, including email. There are two fronts to consider; immediate email security, and the security of archived email files, both of which are essential for compliance. Archived email files in a HIPAA-compliant firm should be subject to access controls (authorization and authentication). In day-to-day email, there is also a risk of deviating from compliance. If an email contains regulated information under HIPAA, then it also must be protected against unauthorized access. Since email goes over the unprotected Internet, encryption would be the only logical way to address this.

The biggest risks are either not using available encryption, or not having it available at all, consequently, training of all staff to use encryption is a big part of the process.

While some health care organizations simply take the approach of forbidding any covered information from being sent via email, in reality, that’s not always practical. Instituting a policy of never sending patient information via email, particularly if email encryption is not in use, may lead to liability as well–since it is very likely that despite policy, rushed employees may still resort to email. The best approach is to ensure that those emails are protected.

Indirectly too, email protection such as anti-virus and anti-spam technology is also part of the grander HIPAA scheme, since these will help ensure that the network itself does not suffer downtime or lost data due to email-based attacks.