3

Is the use of STARTTLS during communication between an internal email server and external recipient sufficient to meet HIPAA guidelines? If so, is it required that TLS be forced?

4 Answers4

8

Generally, no.

If you are configuring an e-mail client, and setting STARTTLS on the SMTP connection, then the e-mail is going to be encrypted just between you and your e-mail server; not to the recipient's e-mail server, and not between the recipient and their e-mail server.

Most companies do not send HIPPA covered data through e-mail because it's inheriently insecure during transmission (for most server configurations). Those that do, enerally use encryption on the e-mail itself (S/MIME or PGP); which is exceedingly difficult for normal users to setup.

The generally accepted practice I've seen is to e-mail a link to a website. The website is TLS encrypted and the client has to prove their identity. This is basically secure end to end (user error not withstanding).

If you're a small company, your options are basically to forego electronic communication, or hire a computer company who specializes in HIPPA compliant communication. If you're part of a larger company, ask your network admin, auditors, or HIPPA compliance consultant.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • I wouldn't say S/MIME is difficult - it's just certificates that cost. (OpenPGP difficulty varies among mail clients.) – user1686 Apr 29 '10 at 14:20
  • 2
    TLS between the mail servers is generally considered insufficient because it does not ensure encryption through the whole chain (what if the recipient downloads their mail via POP/IMAP without SSL?) The link-to-a-password-protected-SSL-secured-site method is what we use at my company. – voretaq7 Apr 29 '10 at 15:30
  • 2
    @grawity. Try walking several hundred email users through the process of installing the certificate of the people they communicate with... it's an IT nightmare. – Scott Lundberg Apr 29 '10 at 15:35
1

I'm assuming the e-mail being sent contains data covered by HIPAA.

The short answer is probably not. You're likely required to use end-to-end encryption.

However the real answer is you should talk to a HIPAA auditor, or someone with a deep understanding of both the legislation, and how auditors and judges have been understanding it.

Please don't take any random answer from the Internet when it comes to things like this where a slight mistake, in addition to putting you out of business could cause serious hardship for people.

LapTop006
  • 6,466
  • 19
  • 26
1

You need to talk to a HIPAA security specialist, however the EPHI standards would cover TLS. However you are correct in that it would have to be forced you would have to reject a connection that refuses tls.

Contrary to what a sane admin might think the hipaa regs are not about security per se. They simply spell out some requirements that some senators thought meant security. Eg as Chris S correctly pointed out encryption clients should have to prove their identity, however that's not part of the standard. Email is usually not encrypted as it is transferred to a users system- however that's specifically not required (storage on the destination system is) - however either storing it in a password protected PST on on the exchange server is adequate as it's not cleartext. This doesn't mean that you can't or shouldn't do the right thing, it just means that from the lawyers standpoint the requirement was fulfilled.

IMHO both 21CFR part 11 and HIPAA both need serious overhauls, and not from folks that think the internet is a series of tubes

Jim B
  • 23,938
  • 4
  • 35
  • 58
0

I don't see a way to comment, so I'll ask my question of Jim B in the form of an answer. Sorry. I find the following language unclear and perhaps you could clarify:

Email is usually not encrypted as it is transferred to a users system- however that's specifically not required (storage on the destination system is) - however either storing it in a password protected PST on on the exchange server is adequate as it's not cleartext.

Are you saying that encryption as email is being transferred from in-house server to user's desktop PC (or mobile device) is not explicitly required?

And by "storage on the destination system is [specifically required]" do you mean email must be stored on the recipient's PC in an encrypted format? Or that email must be erased from the mail server when the user downloads it to read it? or that wherever the email is stored, it must be stored in an encrypted format?

  • @Jim B won't be likely see your answer unless you direct the question to him. – Warner Oct 21 '10 at 16:42
  • 1
    Also, you cannot comment until you have 50 reputation. If you have a question regarding this, it's best you re-post it as opposed to answering someone else's question. – Warner Oct 21 '10 at 16:43
  • HIPAA is very poorly written, and that creates implementation issues. The main problem here is the protected data must be kept safe, which generally means using encryption. The issue with e-mail is that you can not configure a server to guarantee that all outgoing e-mail will be encrypted until they reach their destination user. If you have a more specific question please use the "Ask A Question" button in the upper right of every page. If it's too technical for this site, we'll let you know and try to point you in the right direction. Thank you and welcome to Server Fault! – Chris S Oct 21 '10 at 17:24