Securing the e-mail trail E-mail contents and attachments are free game as they travel the Internet. Think of an open postcard sent through the mail, where anyone can read it en route. If an unsecured e-mail is intercepted and it contains sensitive client information, the agency would be on the hook for a security breach. Not to mention a damaged reputation. Transport layer security (TLS) is an industry standard protocol to protect e-mails sent via the Internet. It’s built into most e-mail gateways (Microsoft Exchange, IBM Lotus Notes) and is activated with a click of the mouse. The sender and receiver will notice nothing.
data-breach rule went into effect, the agreement also gives a timeframe for the business associate to notify a covered entity of a breach. Your carrier, the covered entity, likely asked you to sign a business-associate agreement. And carriers on top of their game already sent out amended agreements to reflect the recent data-breach and Security Rule changes.
TLS operates independently. When an e-mail is sent from one domain (an agent, for example) to another (a carrier), the servers that control transmission negotiate to determine if TLS is enabled. If it is, the servers transmit the e-mail within an impermeable tunnel. Message content and attachments are protected.
Your client also is considered a covered entity and should have sent you an amended business-associate agreement, too. If not, give them a gentle reminder. (The law includes a whistle-blower provision that requires you to report violations … such as failure to provide a business-associate agreement.)
Source: Agents Council for Technology
Q. How do I handle a
Note: TLS is particularly well suited for e-mails between agencies and carriers. What about clients? When it comes to those that are covered entities under HIPAA, e-mail security must be addressed by discipline (absolutely no PHI sent via e-mail) or by encryption. TLS may or may not be an option, depending on your client and your operations.
Learn more: Pennsylvania – www.iabgroup.com/pa/ technology/TLS Maryland – www.iabgroup.com/md/ technology/TLS Delaware – www.iabgroup.com/de/ technology/TLS
A. This is serious stuff. HIPAA mandates notification by the covered entity within 60 days of discovering a breach of unsecured PHI that compromises the information’s security. All those affected must be notified. So must prominent media outlets if over 500 people in the same state or jurisdiction are impacted. If covered entities have 60 days for notification, guess what? Business associates have less time (anywhere between one and 59 days) to notify their covered entity. So if you
[ 18 ]
discover a breach in your agency, check your agreement ASAP for a timeline. IA&B’s Web site details the scenarios that don’t trigger notification and, worst case scenario, the specific steps to take if a breach occurs. Read up on HIPAA’s data-breach provisions: Pennsylvania – www.iabgroup.com/pa/hipaa/ breach_rule Maryland – www.iabgroup.com/md/hipaa/ breach_rule Delaware – www.iabgroup.com/de/hipaa/ breach_rule Note: Independently from HIPAA, all agencies are affected by state data-breach laws, which address identification and client notification of breaches. Learn more about state laws: Pennsylvania – www.iabgroup.com/pa/ privacy/breach Maryland – www.iabgroup.com/md/ privacy/breach Delaware – www.iabgroup.com/de/ privacy/breach
Insurers and employers considered covered entities under HIPAA have always had to comply with strict security standards. As of February 2010,