Healthcare reform has accelerated the use of internet based transfers of personal and health information in order to enroll in the Obamacare individual and family plans. While the online enrollment systems such as Healthcare.gov and Covered California use secure servers, personal and confidential information can be exposed when it is communicated electronically to Certified Insurance Agents and Certified Enrollment Counselors. Consequently, agents and enrollers working with consumers need to move their internet communications with clients to secure email servers and encrypted email systems.
Encrypting emails protects consumer privacy
For independent health insurance agents, such as me, who don’t have access to an already established secure network through a large agency, we have to be more diligent in securing all the different parts of the internet communication puzzle. This would also be the case for the small nonprofit entities that are helping to enroll consumers in health insurance with Certified Enrollment Counselors.
Internet communication puzzle
The different parts of the internet communication puzzle include sending and receiving emails along with the storage of that information that contains Personally Identifying Information (PII) and Personal Health Information (PHI). The security of this information is mandated under the Health Insurance Portability and Privacy Act (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Spoofed and spooked
I got spooked when my email address was spoofed by scammers that wanted to infect my computer with malware or viruses. I started receiving emails that had the sender as my email address. The scammers were able to spoof my email server into delivering the email into my Inbox as if I had sent it. Attached in the email was a document that the email proclaimed was my latest invoice or spreadsheet that I had requested. The attachment was the malware or virus. Fortunately, I caught these malicious emails. These spoofed emails were a signal that I had to fortify my communications with even stronger measures.
Encrypting outbound emails
The stronger measures were implementing encryption of ALL outbound emails and putting in place more security on the server side where the emails reside. This is complicated stuff and the solutions will be different for each entity or person that must secure their internet communications. For help and guidance I turned to my website host who helped me purge malware from my website a couple years ago when it was hacked. Craig Udit of CUEservices looked at the different parts of my email communication system and was able to recommend the least obtrusive security measures. Craig had just spent months deploying similar internet communication security for a medical practice and was familiar with both HIPPA and HITECH. To paraphrase Craig’s high level overview of the security situation –
Most major email providers such as Gmail use TLS (secure) servers, which keep the emails encrypted and HIPAA compliant while sitting on those servers. That’s considered ‘DATA AT REST’ in HIPAA terms…email or data sitting somewhere (archived email, outbox, sent box, drafts).
The part of the puzzle that was still missing is the DATA IN TRANSIT part, which is EMAIL WHILE BEING SENT (as it’s flying through the internet from one place to another). Email is never encrypted while being sent, unless someone specifically has a service to do so…so anything sent by email…or things like text and chat…are considered IN THE CLEAR (tech speak for open for anyone to read…if they access it along the internet freeway).
HIPAA requires that any patient information be LOCK DOWN and ENCRYPT both the data in transit and at rest….AND they have a list of other things required…such as the encryption of all devices used to access data (encrypting phones, tablets, laptops etc)…so if they are stolen or lost…the patient data cannot be accessed.
CUEservices hosts my www.insuremekevin.com and Health Plan News WordPress websites. There is no PII or PHI kept within the folders of these websites. But my email, which is from Gmail, does get routed through those servers. For example, if someone uses my contact page to send me a question about health insurance, it goes through the servers that host my website. The actual content of the email resides within my Google Apps Gmail account.
Secure email portal
When it came time to secure the email messages in transit, from the servers routing my emails to the consumer, I wanted to avoid having the recipient log into another website portal just to read the email. You may have received one of those secure email messages requiring you to create a special user name and password, and then log into a whole separate email system. I get those from the health insurance companies, and while they are secure, it is another set of passwords I need to remember. Plus, most of my email correspondence has no PII or PHI and may just be a response to someone about inquiring about one of my hiking or history posts on my website.
Securing email data over the internet
CUEService gave me a couple of different alternatives, but to secure the data-in-transit I went with Paubox.com. Instead of a separate email application portal that someone must log into, the actual email is encrypted before it gets on the internet highway. This is the technical part that Craig and the Paubox engineers work on. Essentially, it has my outbound emails directed through the Paubox servers to become encrypted before they start traveling through the internet to the recipient. Any replies to my email will be similarly encrypted. The only hiccup for some recipients is their email server can’t handle encrypted emails.
Older email servers don’t accept encrypted emails
When an older email system, such as Earthlink or Juno, gets an encrypted email the recipient will see Paubox notice alerting them I have sent them an encrypted email. (Which email hosts are HIPPA compliant?) The recipient can click on the View Message button and the email should open up in another tab in the browser. However, getting one of these “Hello, you’ve got mail” messages looks like a virus infected spam email. I suppose this is just part of the inconvenience price we have to pay for greater internet security.
Securing emails on the server
The other security measure I deployed was upgrading my Google Apps email to be secure and HIPPA compliant. Before Gmail will secure the emails at rest, just residing on their servers, you have to enter into a Business Associates Agreement (BAA) with them. Technically, if you are considered a covered entity, subject to all the regulations of HIPPA and HITECH, then you must have BAA with third parties who may transmit or store PII and PHI data on your behalf. I also had to sign a BAA with Paubox.
Covered California encryption
Exhibit D secion E.1.b of the Covered California agent contract states –
b. Encryption: Contractor shall encrypt all PII that is in motion or at rest, including but not limited to data on portable media devices, using commercially reasonable means, consistent with applicable Federal and State laws, regulations and agency guidance, including but not limited to the U.S. Department of Health and Human Services guidance specifying the technologies and methodologies that render PII unusable, unreadable, or indecipherable to unauthorized individuals for purposes of the breach notification requirements or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PII. Data centers shall be encrypted or shall otherwise comply with industry data security best practices.
Small price for consumer protection
The cost for all of these security measures is fairly minor, about $25 per month. The initial expense to set up the email encryption routing will vary depending on the server hosts and how familiar they are with the procedures. I’ve definitely noticed a decrease in spam emails and no spoof email mails with viruses have been delivered to my Inbox because Paubox has addition filters for malicious emails. There have been some email recipients that could not open my secure message or thought it was spam. But these small inconveniences are worth the added security measures for my clients and me.