HIPAA compliantYou Asked, We Answered

Today we present the top ten questions and answers from the eFax Corporate Cybersecurity & HIPAA Compliance Webinar series that took place over the past year.  The questions and answers appear in no particular order and were selected due to their popularity or frequency of appearance. You can also click on the webinar titles to view the presentation on-demand.

Q and A Healthcare Disclaimer

Questions:

1.    Isn’t encryption an “addressable” requirement because a CE theoretically doesn’t have to encrypt if they aren’t sending data over the Internet, etc.? (Some encryption vendors like to have people encrypt everything) [HIPAA Compliant Faxing in a BYOD World, 03/23/16].

A.    A big NO on that one, because addressable also applies to data that is being stored and not just when in transit over the Internet.  Just think of all the lost and stolen laptops, flash drives and cell phones containing unencrypted data that resulted in millions of dollars in penalties for HIPAA violations!

For example, even if ePHI is transferred by secure encrypted email between two company locations over a private data network and never touches the Internet, you would still need to ensure that the email archive is properly protected according to the privacy and security standards, which would likely mean it should be encrypted according to the applicable standards set by the National Institute for Standards and Technology (NIST).

The HIPAA security rules do allow covered entities to determine if encryption is “reasonable and appropriate.”  You can choose not to encrypt ePHI. However, if you experience a data breach involving unencrypted ePHI, the OCR will ask for your documentation of reasons why you chose not to encrypt the data, as well as documentation describing the “reasonable compensating controls” that you implemented in place of encryption.

And keep in mind that the top government official in charge of monitoring and enforcing HIPAA compliance publically stated that, although encryption was an addressable requirement…

“…encryption remains the Gold Standard for protection of ePHI.”

That is why eFax Corporate® uses the Transport Layer Security (TLS) version 1.2 to encrypt and authenticate faxes in transit that are sent or received as email attachments, and also offers 256-bit Advanced Encryption Standard (AES) encryption for faxes in storage, as recommended by the National Institute for Standards and Technology (NIST).

2.    How would you tell if your email is a secure email for ePHI? [Protecting ePHI Transmissions in Health Care, 05/25/16]

A.    Two answers for this question.

First, to properly exchange ePHI, the email should be a closed system for use only with other members of your organization, or your partner organizations, who have received training in HIPAA privacy protection and are authorized to view ePHI.

However, even private mail systems may use the Internet for transit between two company locations.  In this case the email message and any attachments would need to be fully encrypted, both in transit and in storage.

Second, this secure email system must, at a minimum, employ “forced-mode” TLS 1.2 encryption according to standards established by NIST.  For example, eFax Corporate® incorporates forced-mode TLS 1.2 into its Cloud-based fax service, which means that the fax must be encrypted when it is in transit as an email attachment.

Anything less than TLS 1.2 (for example, older protocols such as SSL 3.0 or TLS 1.0 & even 1.1) is not considered secure by NIST, the National Institute for Standards and Technology.

Many popular email products use “opportunistic encryption,” which means that if the sending and receiving mail server supports the same encryption protocol, the message will be encrypted, but if not, the message will be sent in the clear with no protection. That type of mail program would not be considered secure enough for HIPAA compliance.

Note:  The OCR will release information and guidance about the use of email in the near future, so stay tuned for further information on this subject.

3.    Why are old fashioned fax machines not considered compliant when they are located in a secure area? [Protecting ePHI Transmissions in Health Care, 05/25/16]

A.     A fax machine is neither compliant nor non-compliant.  The HIPAA rule is designed to be technology neutral.  The risks and vulnerabilities of each system, including fax, need to be understood.  

According to the Office of Civil Rights at the Department of Health and Human Services, the number of ‘fat-fingering’ fax incidents that are reported, in which faxes are sent to the wrong number by mistake, indicates that the risks of faxing need to be better understood and appropriate management and safeguards implemented to prevent that from happening.

It all depends on how fax is used and what controls are in place to prevent the disclosure of PHI to unauthorized viewing, which includes access controls to the secure area where your fax machines are located.

Cloud-based fax is inherently more secure because people can send and receive faxes as encrypted email attachments from their desktop computers, so there are no paper-based documents containing PHI lying around the office.

4.   Since our commercial EHR platform has its own encryption, do we need to worry about additional encryption? [Protecting ePHI Transmissions in Health Care, 06/28/16]

A.    The privacy and security rules state that all ePHI should be encrypted per 45 CFR § 164.312(a)(2)(iv) and its integrity protected per  45 CFR § 164.312(e)(2)(i).  In addition, when electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented whenever deemed appropriate.  164.312(e)(2)(ii).

There is no harm in encrypting previously encrypted data, for example when transmitting ePHI records from your HER, or performing full disk encryption on laptops and other removable devices containing ePHI.  However, any encryption system must at least meet the standards specified by NIST in Special Publications 800-52 and 800-111.

5.    If we have someone, a business associate, sending information to us unencrypted or via text, what is our responsibility? Or is our compliance only specific to our entity? [Protecting ePHI Transmissions in Health Care, 06/28/16]

A.   The Business Associate Agreement is designed to prevent unauthorized disclosures of protected health information by spelling out the safeguards that need to be used to protect PHI and incorporating a service level agreement, or SLA, to ensure compliance.

If you are aware of a breach or violation by the business associate, it is your responsibility to either correct the behavior or to terminate the contract or agreement.  If termination is not feasible, you would be required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  

The principle of “Vicarious Liability” means that a Covered Entity can also be held responsible for the acts of the Business Associate in the event that the BA acts as an “agent” of the Covered Agency.  According to HHS, “agency exists when the CE or BA has the right to control the actions of the BA or BA Subcontractor, respectively, in the course of providing services on behalf of the CE or BA.”

6.    If a breach occurs as a result of an email sent unencrypted, no true risk assessment can be done because there is no way to tell if the data is intercepted (or is there?) and notification is required?  [Protecting ePHI Transmissions in Health Care, 06/28/16]

A.    First, ePHI should never be transmitted over the Internet, i.e. by email, in the clear as plain text. “When electronically transmitting ePHI, a mechanism to encrypt the ePHI must be implemented whenever deemed appropriate.”  164.312(e)(2)(ii).

Second, the breach notification rules require an assessment of the probability of disclosure of protected information that was sent via unencrypted email.  If the data had been fully encrypted in transit according the standards specified by NIST, i.e. authenticated and encrypted by mail servers using forced TLS 1.2 at both ends of the connection, the probability would be low, and you would not have to report a data breach. That is because encryption of ePHI creates a ‘safe harbor’ from the Breach Notification Requirement. [78 Federal Register 5644].

7.    Is TLS 1.2 encryption required and enforced?
 [Protecting ePHI Transmissions in Health Care, 06/28/16]

A.    First, TLS 1.2 is the encryption protocol recommended by the National Institute for Standards and Technology (NIST) for data in transit.

Second, TLS that is not ‘forced’ is called ‘opportunistic’ and cannot be said to be HIPAA compliant because there is no guarantee that an email containing ePHI will be encrypted or authenticated.  Opportunistic TLS means that the sender will attempt to establish TLS encryption with the receiving mail server.  If that request is refused, the sender will default to sending unencrypted email.

The forced-mode of TLS will only send an email if it can first establish a secure encrypted connection with the receiving mail server.  In the process to establish this connection, TLS will first request authentication via certificate verification, and will reject connections to mail servers that do not present a valid, signed certificate from a recognized certificate authority (CA). This provides an added layer of security, ensuring that email will be sent to the correct recipient and not an imposter or ‘man-in-the-middle.’

8.    Can you discuss the deprecation of TLS 1.0, and the need to move toward TLS 1.1/1.2? [HIPAA, Cyber Hacking, and ePHI Security, 08/30/16]

A.    Per the guidelines from the National Institute for Standards and Technology (NIST), for data in transit, TLS 1.1 is still allowed, but due to known vulnerabilities, TLS 1.2 is the recommended protocol going forward.  TLS 1.0, SSL 2.0 and SSL 3.0 are no longer allowed.  See NIST Special Publication 800-52 Rev.1 for details.

9.    More and more companies are having employees work remotely and use their own devices. This isn’t going away, so what are recommendations you have for companies that do this?  Are there any advantages, from a security standpoint, to allowing BYOD to access, store, etc. ePHI on personal (rather than employer/covered entity owned) laptops, phones, etc.?  [HIPAA, Cyber Hacking, and ePHI Security, 08/30/16 and ePHI Security in BYOD World, 10/04/16]  

A.    There are many products and services on the market that claim to provide HIPAA compliant secure messaging services for mobile devices, and a discussion of their merits of is beyond the scope of this Q&A. However, regardless of whether the device is corporate-owned or employee-owned, the OCR has a clear position on mobile and portable devices containing ePHI, which I will repeat:

Regarding ePHI on portable devices – mobile devices, tablets, flash drives, laptops, other portable devices and removable storage products…

  • 1.  If you place ePHI on movable devices, sooner or later it will walk away and be lost or stolen.  Remember – theft and loss cause the majority of data breaches.
  • 2.  You need to understand the risks to your data and how you are going to mitigate those risks.
  • 3.  Encryption is best defense here.

10.    If a Covered Entity has a BAA with a Business Associate, and that BA contracts with a Cloud Service Provider to store ePHI that originated with the CE, does the CE also need to have a BAA with the Cloud Service Provider? [Healthcare Cybersecurity Update:  Ensuring HIPAA Compliance with Cloud Services, 02/16/17]

A.   No.  Per the Privacy Rule, the Covered Entity (CE) does not need to have a BAA directly with the Cloud Service Provider (CSP), nor any other subcontractor of its Business Associate (BA), in this example.  However, the Business Associate must have a BAA with the CSP to ensure that the data will be protected in accordance with HIPAA requirements per CFR 164.502 (e)(1).  In fact, all downstream sub-contractors that handle ePHI on a more than temporary basis are subject to HIPAA requirements and must have a BAA with the upstream contractor.   

Note:  Per the Privacy Rule and Guidance on Cloud Service Providers issued by OCR — If a CSP maintains, receives, transmits or stores PHI (on a more than temporary basis), for a HIPAA related function or activity on behalf of CE or BA, that CSP (or any other type of organization) is by definition a Business Associate and must enter into a BA Agreement (BAA) with the CE or BA.