HIPAA / HITECH Compliance Requirements


New HIPAA / HITECH regulations extend compliance requirements to Business Associates of HIPAA covered entities.  As a hosting provider, ChicagoNetTech must not only protect our servers and the data contained therein, but must also work with our hosted clients to effect Compliance with their e-mail and any hosted data entrusted to us as part of our hosting agreement required to be hosted on, or accessible via, secured servers.  

ChicagoNetTech's SmarterMail e-mail hosting solution meets all of the requirements of the most recent updates to the HITECH portion of HIPAA.  Our SSL / TLS secured e-mail interfaces, included with all hosted packages, at no additional cost, will ensure that your e-mail is encrypted from the time it is written to the point of delivery1.  We can also provide searchable archives of all incoming and outgoing e-mail.  Please read on to see why HIPAA / HITECH Compliance is so important when choosing your e-mail and web hosting provider . . .

HIPAA Overview:  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implemented new rules for the healthcare world. Mandating compliance with its Privacy and Security Rules, the federal government is committed to enforcing patients’ rights. Industry professionals – financial, administrative and clinical – are no strangers to the regulatory compliance culture. HIPAA laws apply to a ‘covered entity’; IE: healthcare providers, clearinghouses and health plan payers that meet certain conditions. In essence, most providers are covered entities if they employ an electronic-based office – meaning they function by storing and exchanging data via computers through intranets, Internet, dial up modems, DSL lines, T-1, etc.

HIPAA email security applies specifically to Protected Health Information [PHI] : PHI, defined in HIPAA language, is:  health information of an identifiable individual that is transmitted by electronic media; maintained in any electronic medium; or transmitted or maintained in any other form or medium.  All administrative, financial, and clinical information associated with a patient is considered PHI.

  • Privacy Standards:  The HIPAA Privacy Rule sets standards for protecting the rights of individuals (patients).  Covered entities must follow the laws that grant every individual the right to the privacy and confidentiality of their health information.  Protected Health Information is subject to an individual’s rights on how such information is used or disclosed.
  • Privacy Standard Key Point: Controlling the use and disclosure of oral, written and electronic protected health information (any form).
  • Security Standards:  Taking the Privacy Rule a step further, HIPAA implemented the Security Rule to cover electronic PHI (ePHI).  To this end, more secure and reliable information systems help protect health data from being “lost” or accessed by unauthorized users.
  • Security Standard Key Point:  Controlling the access to electronic forms of protected health information (not specific to oral or written).

The Privacy and Security Rules focus on information safeguards and require covered entities to implement the necessary and appropriate means to secure and protect health data.  Specifically, the regulations call for organizational and administrative requirements along with technical and physical safeguards.

Beginning with February of 2010, the HIPAA rules were enhanced by the American Recovery and Reinvestment Act.   The HITECH section of this act implements significant penalties for breaches of HIPAA and requires that the business partners of organizations covered by HIPAA must themselves obey the HIPAA Privacy and Security Rules, and face liability if there are any unauthorized disclosures.

Provisions of the HIPAA E-Mail Security Rule:  The HIPAA language uses the terms ‘required’ and ‘addressable’:

  • Required means that complying with the given standard is mandatory and, therefore, must be complied with. 
  • Addressable means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.
  • With regard to addressable, an organization should read and decipher each Security standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.

The General Rules of the Security Standards reflect a “technology-neutral” approach.  Technology-neutral means there are no specific technological systems to employ and no specific recommendations, just so long as the requirements for protecting the data are met. Those requirements include:

  • Organizational requirements refer to specific functions a covered entity must perform, including the use of business associate contracts and the development, documentation and implementation of policies and procedures.
  • Administrative requirements guide personnel training and staff management in regard to PHI and require the organization to reasonably safeguard (administrative, technical and physical) information and electronic systems.
  • Physical safeguards must be implemented to protect computer servers, systems and connections, including the individual workstations.  This section covers security concerns related to physical access to buildings, access to workstations, data back up, storage and obsolete data destruction.
  • Technical safeguards must be implemented to protect the Personal Healthcare Information [PHI] that is maintained or transmitted by any electronic media.

To learn more about HIPAA / HITECH requirements, check out HIPAA.ORG where you can keep up to date with all of the fast paced changes and requirements for HIPAA / HITECH.

1. TLS encryption is dependant on all of the e-mail servers used in the routing and delivery of the e-mail message being TLS compliment. To check the TLS compliance of any e-mail address, open this link http://www.checktls.com/perl/TestReceiver.pl?ASSURETLS, select DETAIL or CERT DETAIL, and follow the instructions to enter an e-mail address for the e-mail server you would like to test.

Upon completion of the TLS testing, you will see a score and listing of any problems. Some e-mail servers run Greylisting, so failure to validate an e-mail address does not cause a TLS test to fail.