Is the use of STARTTLS during communication between an internal email server and external recipient sufficient to meet HIPAA guidelines? If so, is it required that TLS be forced?
If you are configuring an e-mail client, and setting STARTTLS on the SMTP connection, then the e-mail is going to be encrypted just between you and your e-mail server; not to the recipient's e-mail server, and not between the recipient and their e-mail server.
Most companies do not send HIPPA covered data through e-mail because it's inheriently insecure during transmission (for most server configurations). Those that do, enerally use encryption on the e-mail itself (S/MIME or PGP); which is exceedingly difficult for normal users to setup.
The generally accepted practice I've seen is to e-mail a link to a website. The website is TLS encrypted and the client has to prove their identity. This is basically secure end to end (user error not withstanding).
If you're a small company, your options are basically to forego electronic communication, or hire a computer company who specializes in HIPPA compliant communication. If you're part of a larger company, ask your network admin, auditors, or HIPPA compliance consultant.
I'm assuming the e-mail being sent contains data covered by HIPAA.
The short answer is probably not. You're likely required to use end-to-end encryption.
However the real answer is you should talk to a HIPAA auditor, or someone with a deep understanding of both the legislation, and how auditors and judges have been understanding it.
Please don't take any random answer from the Internet when it comes to things like this where a slight mistake, in addition to putting you out of business could cause serious hardship for people.
You need to talk to a HIPAA security specialist, however the EPHI standards would cover TLS. However you are correct in that it would have to be forced you would have to reject a connection that refuses tls.
Contrary to what a sane admin might think the hipaa regs are not about security per se. They simply spell out some requirements that some senators thought meant security. Eg as Chris S correctly pointed out encryption clients should have to prove their identity, however that's not part of the standard. Email is usually not encrypted as it is transferred to a users system- however that's specifically not required (storage on the destination system is) - however either storing it in a password protected PST on on the exchange server is adequate as it's not cleartext. This doesn't mean that you can't or shouldn't do the right thing, it just means that from the lawyers standpoint the requirement was fulfilled.
IMHO both 21CFR part 11 and HIPAA both need serious overhauls, and not from folks that think the internet is a series of tubes
I don't see a way to comment, so I'll ask my question of Jim B in the form of an answer. Sorry. I find the following language unclear and perhaps you could clarify:
Email is usually not encrypted as it
is transferred to a users system-
however that's specifically not
required (storage on the destination
system is) - however either storing it
in a password protected PST on on the
exchange server is adequate as it's
not cleartext.
Are you saying that encryption as email is being transferred from in-house server to user's desktop PC (or mobile device) is not explicitly required?
And by "storage on the destination system is [specifically required]" do you mean email must be stored on the recipient's PC in an encrypted format? Or that email must be erased from the mail server when the user downloads it to read it? or that wherever the email is stored, it must be stored in an encrypted format?
Generally, no.
If you are configuring an e-mail client, and setting STARTTLS on the SMTP connection, then the e-mail is going to be encrypted just between you and your e-mail server; not to the recipient's e-mail server, and not between the recipient and their e-mail server.
Most companies do not send HIPPA covered data through e-mail because it's inheriently insecure during transmission (for most server configurations). Those that do, enerally use encryption on the e-mail itself (S/MIME or PGP); which is exceedingly difficult for normal users to setup.
The generally accepted practice I've seen is to e-mail a link to a website. The website is TLS encrypted and the client has to prove their identity. This is basically secure end to end (user error not withstanding).
If you're a small company, your options are basically to forego electronic communication, or hire a computer company who specializes in HIPPA compliant communication. If you're part of a larger company, ask your network admin, auditors, or HIPPA compliance consultant.
I'm assuming the e-mail being sent contains data covered by HIPAA.
The short answer is probably not. You're likely required to use end-to-end encryption.
However the real answer is you should talk to a HIPAA auditor, or someone with a deep understanding of both the legislation, and how auditors and judges have been understanding it.
Please don't take any random answer from the Internet when it comes to things like this where a slight mistake, in addition to putting you out of business could cause serious hardship for people.
You need to talk to a HIPAA security specialist, however the EPHI standards would cover TLS. However you are correct in that it would have to be forced you would have to reject a connection that refuses tls.
Contrary to what a sane admin might think the hipaa regs are not about security per se. They simply spell out some requirements that some senators thought meant security. Eg as Chris S correctly pointed out encryption clients should have to prove their identity, however that's not part of the standard. Email is usually not encrypted as it is transferred to a users system- however that's specifically not required (storage on the destination system is) - however either storing it in a password protected PST on on the exchange server is adequate as it's not cleartext. This doesn't mean that you can't or shouldn't do the right thing, it just means that from the lawyers standpoint the requirement was fulfilled.
IMHO both 21CFR part 11 and HIPAA both need serious overhauls, and not from folks that think the internet is a series of tubes
I don't see a way to comment, so I'll ask my question of Jim B in the form of an answer. Sorry. I find the following language unclear and perhaps you could clarify:
Are you saying that encryption as email is being transferred from in-house server to user's desktop PC (or mobile device) is not explicitly required?
And by "storage on the destination system is [specifically required]" do you mean email must be stored on the recipient's PC in an encrypted format? Or that email must be erased from the mail server when the user downloads it to read it? or that wherever the email is stored, it must be stored in an encrypted format?