Recently, we've got an inquiry about how S/Notify Email Encryption for Jira and Confluence could help with HIPAA compliance. This was an interesting question, and I'd like to share our findings with you.
The short answer is: yes, S/Notify enables you to comply with HIPAA when using Jira and Confluence.
For those who want the long answer, let's first clarify a few things about HIPAA.
HIPAA stand for the Health Insurance Portability and Accountability Act. It was enacted in 1996 to set the standard for sensitive patient data protection in the USA. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.
To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.
The HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Now, how can Email Encryption help to become HIPAA compliant?
The HIPAA Technical Safeguards published by the US Department of Health and Human Services (see References) cover these areas defined in the HIPAA Security Rules: access control, audit controls, integrity, person or entity authentication, transmission security. According to this document, email encryption is an appropriate solution to to cover § 164.312(e)(1) Transmission Security. Within this area, email encryption is able to cover both, § 164.312(e)(2)(i) Integrity Controls and § 164.312(e)(2)(ii) Encryption.
Encryption is an important element of HIPAA compliance for email. The method of encryption is not specified in HIPAA, but HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which currently recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption in its latest publication SP 800-45 Version 2 (see References). The following is quoted from this publication:
The most significant feature of S/MIME is its built-in and nearly “automatic” nature. Because of heavy industry involvement from manufacturers, S/MIME functionality exists with default installations of common mail clients such as Mozilla and Outlook Express.
Organizations using S/MIME to protect emails should use AES or 3DES (preferably AES, which is considered a stronger algorithm than 3DES).
Many free and commercial products that use the OpenPGP standard are currently available. The software can be downloaded or purchased from a variety of Web sites.15 Some OpenPGP-based products fully support the cryptographic algorithms recommended to the Federal government by NIST in FIPS PUB 140-2 and other publications, including 3DES and AES for data encryption, Digital Signature Algorithm (DSA)16 and RSA for digital signatures, and SHA for hashing.17 Some implementations of OpenPGP support other encryption schemes not addressed here.
NIST considers AES-128, AES-192, and AES-256 to provide highest security, while 3DES is considered secure and compatible.
While 3DES is not known to be broken, due to its basic design, with enough computer power, it's considered to be more easily breakable than AES.
Email encryption is considered an appropriate solution to to cover Transmission Security, and, within this area, is able to cover both, Integrity Controls and Encryption. As a consequence, if you use Jira (including Jira Service Desk) and Confluence to manage any protected health information (PHI), S/Notify is perfect to get you covered with regard to the transmission security of email notifications. S/Notify currently supports S/MIME encryption with AES-256, as recommended by NIST for highest security.
Stay in touch with us
Would you like to be updated with tipps and tricks regarding S/Notify and email encryption in general? Just let us know, and we'll love to add you to our list. Thank you!
Images from Wikimedia Commons (except S/Notify)
