When and how should you email PHI, if at all? The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed. Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.
The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”. Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”. Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.
Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered. And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up! Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.