PSYBooks’ email not only meets but actually surpasses the HIPAA specifications for encrypted email. HIPAA’s rules for email encryption are broad, giving developers the maximum amount of freedom. This is as it should be. Those who are responsible for writing and maintaining HIPAA/HITECH laws cannot also be expected to keep up with rapid changes in the world of technology the way developers do. Therefore, although HIPAA wisely states that email containing client PHI (Protected Health Information) should be encrypted, it doesn’t specify exactly how that should be done.
If you compare email to snail mail, there are two possible times your mail is vulnerable: 1) when it’s on route to you and 2) after it’s been delivered. Most developers interpret the HIPAA specifications as meaning they should encrypt the first phase of mail delivery which, in computer terms, is called “data in motion”. Many encrypted email services stop there. They feel they’ve done their job. However, to date, there have been no breaches in the data in motion phase as long as 2048-Bit SSL encryption is used. In fact, experts feel that data in motion under 2048 encryption is uncrackable now and will be for many years yet to come. The implication here is that although data in motion encryption is certainly necessary, it is hardly sufficient.
Conversely, all PHI data breaches so far have occurred in the second stage, i.e., before it’s sent or after it’s been delivered. Computer parlance refers to this phase as “data at rest”. When you think about it, this second stage can include a lot of possibilities. Going back to the snail mail analogy, someone might steal your mail from your mailbox; you might lose or misplace it once you’ve brought it in; your home or office could have a fire or flood that would destroy not only your mail but everything else; your child could accidently scoop your mail into their backpack and lose it at school, your office manager could leave sensitive mail sitting out for other patients to see, someone might break into your home or office and steal or destroy your mail, etc. The possibilities are endless.
This is also true with email. There are numerous ways that data at rest can be compromised. The most frequent culprits, surprisingly enough, aren’t hackers, but rather, are theft and/or loss. For this reason, PSYBooks encrypts email both in motion and at rest. In fact, we even take it a step further in that we also encrypt any attachments you or your clients send via email. This means that, for example, you can now share any client data you want via PSYBooks email and be assured that even if our servers WERE hacked (which is an extremely remote possibility), your email would not be decipherable – it’s secure.
However, the email safety story doesn’t really stop there. Achieving 100% safety with email actually depends on three things:
- Data in motion encryption
- Data at rest encryption
- Safe email habits
PSYBooks has you covered for the first two. The last one is up to you. Actually, you may be surprised to see how easy it is to have unsafe email habits. Most of us are probably guilty of at least a few on a fairly routine basis. We’ll give you some tips for practicing “safe email” in the next post.