HIPAA Email Compliance

Where can I find the official document for the Federal HIPAA HITECH legislation?

The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act. It can be found on page 112 in the official document at: http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf

Is an encrypted email HIPAA compliant?

The Security Rule of the original HIPAA legislation permits covered entities to use email as a way to electronically transmit protected health information (PHI) and requires that steps be taken to protect those transmissions.

How MDofficeMail is HIPAA compliant?

MDofficeMail is HIPAA compliant by virtue of the following features:

• HIPAA Business Associate Agreement is signed with clients.
• SSL connection is strictly enforced for all services, both at sender’s and recipient's end. Thiscannot be modified even by the Account Administrators.
• Encryption is strictly enforced for all outbound messages unless the user manually over-rides it.
• Messages can be viewed or downloaded only by establishing SSL connection.
• Recipients can reply securely without having a secure email account.
• Facility to validate new recipient. New recipient needs to enter a 6-digit code to access email received. This randomly generated, recipient-specific code can be provided only by the sender.
• Minimum password length and complexity is enforced.
• Automatic Webmail session timeout is enforced.
• Encrypted emails sent can be force expired at anytime.
• Encrypted emails sent will automatically get deleted after a fixed time.
• Automatic session timeout is enforced for message viewing page of MDVault.
• Legal archiving: All emails are archived remotely for a specified length of time, upto 7 years, These emails can not be edited or deleted. As long as the user is active archived messages can be viewed and downloaded.
• Emergency Access Procedure: PHI in email communications can be accessed from any location via the Internet. There are also mechanisms for authorized administrative to access account data.
• Audit Controls: Audit reports of all logins to WebMail, POP, IMAP, and SMTP services are available to administrators. Reports include the date, time, and the IP address from which logins were made.

Subject line of email message - HIPAA email compliance

As the subject line of email message is not encrypted, users should never include PHI in the subject line.

Dedicated servers - HIPAA email compliance

Though MDofficeMail is hosted in dedicated servers, there is no explicit requirement. HIPAA law is 'technology neutral' in that it makes no specific requirements for the implementation of technical security, e.g. the level of encryption (128 bits or 256 bits), the encryption type (RSA, AES, etc.), the level of auditing, etc. The security restrictions MD Officemail enforces ensure that all the hosted accounts meet the Technical Safeguards of the HIPAA Security Rule.