HIPAA Compliant Email Services

[EQ Admin]

The new comparison page for HIPAA Compliant Email Services is ready.

I started with listings for Email Pros, Google Apps, LuxSci, and Office 365 (HIPAA Edition)

Please reply to this discussion if you have a service that would you like added, or any updates & corrections to the existing list of features.

 

[kangas]

I think some things such as:

1. Email archival
2. TLS delivery support (forced TLS); and opportunistic TLS if other encryption methods are used
3. S/MIME support
4. PGP support
5. Web-based secure email pickup support
6. Minimum price which includes email encryption
7. If they sign a Business Associate Agreemnet
8. Secure email sending and receipt on mobile devices
9. Ability to send a secure email to anyone (e.g. including people outside "the system")
10. Ability to receive a secure email from anyone (e.g. a facility to enable anyone to send you a secure email for free if they have no secure email themselves)
11. IMAP access to email
12. ActiveSync access to email (calendars, contacts, etc.)
13. Support for bulk or mass transactional compliant email messages
14. Retracting of messages sent
15. Read receipts (100% reliable) of messages sent
16. White labeling of the secure email system
17. Ability to "opt out" of security and send (non-PHI) messages without special encryption
18. If encryption is "opt in" and reliant on the sender to tag it for encryption (not as good as opt out due to the potential for mistakes)
19 SSL WebMail access to email
20. TLS/SSL support is TLS v1.0+ only and only using FIPS recommended ciphers (not weak ones) needed for HIPAA compliance
What Level of SSL or TLS is Required by HIPAA? - LuxSci FYI
21. Option for email on a dedicated server for added security and privacy
22. Email Marketing with a constant-contact like web-based mailing program for messages that may contain PHI.
23. Level of support
24. Two-factor auth for web logins
25. password expiration, reuse, and strength options
26. Support for DKIM and SPF
27. No need for custom applications or software (e.g. you can just use your browser or something like thunderbird)

 

[EQ Admin]

Multiple ways to encrypt email (e.g. TLS, Escrow, PGP, S/MIME)

The above was mentioned to me as part of the HIPAA compliance features list, but to me some of this is encrypting "over the wire" but doesn't help much if the recipient has, for example, a Yahoo account.

 

[EQ Admin]

I think some things such as:

Excellent, thanks for the post! Give me a few minutes to get the next update saved.

 

[EQ Admin]

Another batch of updates saved. I'd like to push the most important features to the top.

I'm curious about Secure Contacts vs. ActiveSync Contacts. Are these really the same thing?

Secure email pickup = sender gets a link to go view an "email" on the web?

LuxSci specific question. If a recipient doesn't have a mail server that supports TLS, do you refuse to relay the email? It appears there is an option to only send if TLS detected.

 

[EQ Admin]

100% reliable read receipts caught my attention too. Does that mean "within the system" and not related to 3rd party email service?

 

[EQ Admin]

ePHI Safeguards are defined as:

• Physical safeguards and data access control
• Staff training and administrative policies
• Facility access control and security
• Contingency plans, backups plans, and disaster recovery
• Workstation security and usage lockdown

 

[EQ Admin]

Interesting note, at least to me.

Microsoft sales understands that Azure Rights Management is needed to make an Office 365 business plan HIPAA compliant, but there is no information about features, at least not the same way I'm trying to present it.

If anyone with the HIPAA plan can help figure out the features I'll be happy to list their service.

The following information lists HIPAA requirements followed by text explaining Microsoft's implementation.

HIPAA / HITECH Requirements - Microsoft’s QualysGuard Implementation

Security Management Process.

a. 164.308(a)(1)
b. 164.308(a)(1)(ii)
c. 164.308(a)(1)(ii)(A)
d. 164.308(a)(1)(ii)(D)

QualysGuard's Vulnerability Management and Policy Compliance solutions underpin security management with a complete, automated system for security audits and IT compliance management.

Information Access Management.

a. 164.308(a)(4)
b. 164.308(a)(4)(ii)(A)
c. 164.308(a)(4)(ii)(B)

Audits user access to systems and databases containing PHI.

Security Awareness and Training.

a. 164.308(a)(5)
b. 164.308(a)(5)(ii)(B)
c. 164.308(a)(5)(ii)C
d. 164.308(a)(5)(ii)(D)

Security and configuration data revealed by QualysGuard reporting capabilities help staff and management with their network security posture and how to further protect it against emerging threats.

Security Incident Procedures.

a. 164.308(a)(6)

Security and configuration audit assessments provide hard data for conceiving, implementing, and managing security policies.

Evaluation.

a. 164.308(a)(6)

Automatically and regularly tests and documents security capabilities and configuration settings before and after installation and maintenance of networks, systems, or applications.

Workstation Security.

a. 164.310(C)

QualysGuard automatically and regularly tests and documents security capabilities and configuration settings before and after installation and maintenance of networks, systems, or applications.

Device and Media Controls.

a. 164.310(d)(2)(i)
b. 164.310(d)(2)(iv)

Tests and documents configuration settings automatically before and after installation and maintenance of networks, systems, or applications.

Access Control.

a. 164.312(a)(1)

Audits user access to systems and databases containing PHI.

Audit Control.

a. 164.312(b)

Automatically and regularly tests and documents configuration settings before and after installation and maintenance of networks, systems, or applications.

Integrity.

a. 164.312(c)(1)
b. 164.312(c)(2)

Audits user access to systems and databases containing PHI.

Transmission Security.

a. 164.312(e)
b. 164.312(e)(1)