Here’s a question from our twitter feed this past week. Like most things in life, I think this needs a little more than 140 characters to explain, so here’s a blog post. Take that Twitter!
A few weeks back, we addressed the question: Do you need a Business Associate or Business Associate Subcontractor Agreement with your email host? (Remember: Covered Entities have Business Associates, Business Associates have Subcontractors.)
We answered most emphatically . . . . Yes! – Because they are potentially handling PHI on your behalf. You need to make sure they understand what their responsibilities are to protect PHI.
Then this question came in: Encryption/decryption happens on the endpoints so the web/email hosting companies are unable to see anything even if they wanted. So, you don’t need a Business Associate Agreement with them, right?
Sorry, the answer is still, Yes. You are still going to have to ask them to sign a Business Associate Agreement.
Let’s break down how email encryption works. Either you use your current email client (Outlook, Apple Mail, etc.) and encryption from your vendor*, or you have to login to a website client in order to send an encrypted email. Either way, your message is then encrypted, and stored on your vendor’s server. At this point, an email is sent to your client with a link back to the vendor’s site saying, “Hey, you’ve got an email from Bob’s Agency, click here to see it.” The client is then required to login to a password-protected site. Once the client successfully logs in, the email is then unencrypted and made readable.
In both scenarios, the email is encrypted from point to point, and technically it’s unreadable by your email provider, right? Yep, no disagreement here… Buuuuuuut… Who has the encryption keys? That would be your email provider, and this is one of the key reasons why you need a Business Associate or Business Associate Subcontractor Agreement.
In this Agreement, there should be information about how the company is encrypting the emails, and where the encryption keys are stored. For instance, are they stored onsite or offsite? On another server, etc.? Who has access to these encryption keys? How does the company keep these keys safe? How does the company handle physical security? This is due diligence that your company MUST do before you sign that contract with the encryption service.
Luckily, most email encryption providers today offer to sign Business Associate and Business Associate Subcontractor Agreements, or offer one on their site. Just make sure you carefully review any of their agreements and make sure you understand their security procedures before you sign off on them.
Remember folks, CYA is the name of the game when it comes to HIPAA. There are serious penalties for any misuse of PHI, and you are responsible for what your business associates and subcontractors do on your behalf. This is why you have EVERY contractor sign a Business Associate Agreement, or Business Associate Subcontractor Agreement, and ask this simple question, “May I see your Privacy and Security Policies and Procedures?” If they don’t have them, then don’t do business with them.
Keep those questions coming, and we will do our best to get them all answered!
*This will probably be a plug-in to your client, and will have to be actively selected in order to send encrypted emails.