HIPAA Compliance For Emails At Your Dental Practice
While signing up for an email account is easy, deciding on which one to use isn’t. There are so many things to consider. Will they support your custom domain name and address? How much storage is available? Do they offer spam filtering, encryption, and message tracking? What about guaranteed uptime?
Though these are important questions, there’s one more that dental practices sometimes forget to ask: Are your emails compliant with HIPAA rules?
Are You Encrypting Your Dental Practice’s Emails?
Email encryption protects the contents of your emails from outsiders. When an email is encrypted, it’s no longer readable until it’s decrypted. HIPAA requires that any email containing ePHI (electronic Protected Health Information) must be encrypted. Email messages must be secured in transit, in storage or in archiving.
Email encryption protects your emails from cyber thieves. If they can intercept emails, you’d be surprised at the personal information they can obtain. They’ll use this info to try and steal from your dental practice. Sometimes they steal data and sometimes they download ransomware. Whatever their endgame, you shouldn’t have to worry about things like this. You have a busy dental practice to run.
Understanding the Law
In the National Institute of Standards and Technology (NIST) document, SP 800-45 Version 2, the requirements for securing emails containing ePHI are clearly outlined. NIST states that email messages can be protected by using cryptography in various ways, such as the following:
- Encrypt the body of an email message to ensure its confidentiality.
- Sign an email message to ensure its integrity and confirm the identity of its sender.
- Encrypt the communications between mail servers to protect the confidentiality of both the message body and message header.
How To Meet These Requirements
Unlike methods that can only encrypt a message body, a Virtual Private Network (VPN) can encrypt entire messages, including email header information such as senders, recipients, and subjects. However, a VPN solution alone cannot provide a message signing mechanism. And it can’t protect email messages along the entire route from sender to recipient.
How Does Encryption Work?
All email addresses have a pair of keys associated with them. The keys are used to encrypt and decrypt emails. The public key is stored on a key server and is tied to your name and email address. Anyone can access it. A second key is your private key. This isn’t shared with others and is only known by you.
Email encryption utilizes public-key cryptography. When you send an email, it’s encrypted by the computer using the public key. This turns the email into complex, indecipherable, scrambled content that’s difficult to crack. Only someone with the proper corresponding private key can decrypt the email and read it.
Because it’s difficult for most people to encrypt their emails, dental offices and other businesses rely on their IT providers to do this through an automatic encryption service. This way, they don’t need to worry if their employees use email encryption. It’s automatically managed. The emails are set up to flow through a gateway appliance that’s configured to the firm’s security policies.
What Happens If We Don’t Encrypt Our Emails With ePHI?
You must use an alternative method to protect your data at rest and in transit. This requires that you undergo a risk analysis to determine the level of risk to confidentiality, integrity, and availability of ePHI sent via email.
You then must develop a risk management plan, and document it for the HIPAA auditors from the Office of Civil Rights (OCR). They will want to see that you considered encryption and why you didn’t use it. Then they will want to see that you have implemented an alternative safeguarding measure that’s just as effective as encryption.
How Do Email Encryption Services Work?
In the past, email encryption services were cumbersome to use. Both the sender and recipient had to exchange encryption keys before sending and receiving emails to one another. As a result, people didn’t want to take the time to do this, and employees simply ignored the dental practice’s policies. This led to breaches in security where sensitive and confidential data was exposed.
Today, we have simple and secure email encryption services that are cloud-based. Key management is automatic without any added overhead for either users or administrators. The first time a recipient receives an email, a unique key is generated. Emails (including attachments) are encrypted using the recipient’s key.
How Do You Use An Email Encryption Service?
After the process of encryption is complete, a separate notification email containing a link to log into a secure message center is sent to the recipient. It’s accessed via a web browser using HTTPS (certified for security).
After the recipient logs in, their encrypted email messages are sent to them for viewing. At this point they can reply to the emails or download them for archiving on their computer, knowing that they are still encrypted and will be secure.
Where Can We Find Email Encryption Services In Utah and Idaho?
Symtec provides the right Email Encryption Services that your dental practice needs. Our cloud-based approach to email encryption ensures the security of your emails and attachments. It utilizes an Advanced Encryption Service with a 256-bit cipher, commonly known as AES-256.
Ensure that your emails meet HIPAA requirements. For more information about our Email Encryption Services and how your dental office will benefit from them, contact the experts at Symtec. You’ll see why so many dental practices choose our services over others.
Stay current on the latest in technology. Visit our Learning Center. Here are a few examples of what you’ll find: