The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 with the original intent of protecting health insurance information when workers changed or lost their jobs. As the internet evolved in the mid 1990's HIPAA requirements coincided with the internet revolution and offered an easy, available vehicle to enable the digital exchange of healthcare information.

However, the idea of passing health records across the public Internet prompted concerns about the privacy and security of patient information. Consequently, the HIPAA rules surrounding Protected Health Information (PHI) were refined to include security standards for sharing PHI over the Internet.

On April 14, 2003, the privacy protection provisions of the HIPAA legislation went into effect and poses a major compliance challenge for the Health Care industry and their business partners. These provisions include:

• Protection against the unauthorized disclosure of a patient’s "individually identifiable health information."
• Each instance of unauthorized disclosure by a health care provider is punishable by fines ranging from $10,000 to $25,000.

Each instance of intentional unauthorized disclosure is punishable by fines ranging from $100,000 to $250,000 and possible jail time for those who violate the provisions. The HIPAA Security Standard contains two sub parts that relate directly to data integrity, data access and mechanisms for handling data. These include: 45 CFR Part 142, § 142.308 (c). “Technical security services to guard data integrity, confidentiality and availability.” These are processes that protect information and control individual access to information. 45 CFR Part 142, § 142.308 (d). “Technical security mechanisms.” These are controls that prevent unauthorized access to information that is transmitted across an internal network or across the public Internet.

HIPAA and E-mail

The part most relevant to email is the rule requiring "securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them." The rules do not specify which technologies should be used to preserve confidentiality of patient records, so organizations can chose which technologies will best suit their needs while being secure enough to prevent improper access to PHI.

File Fortress™ meets the following key requirements for exchanging PHI over the Internet: It applies encryption, authentication (three-part), and authorization controls to e-mail, attachments and web pages to ensure their integrity. All transactions within FileFortress.com occur over a secure SSL connection. We currently support the highest level of encryption available (256-bit encryption via Secure Socket Layers (SSL)). Secures e-mail by encrypting both the message and any attachments using industry-standard encryption protocols. Messages are not sent to recipients directly. Instead, they are stored on our servers and recipients must be Authenticated in order to view message contents. Extends protection to e-mail after it’s delivered to a recipient’s Inbox. File Fortress™ users have the ability to set an expiration date for attachments on each message. Once this date is reached, the attachments for that message will be removed from our servers. File Fortress™ can provide organizations with a Business Associate Contract template if necessary.