Why are Email and Text Messaging Not HIPAA compliant?

Many people falsely believe that traditional email and texting of private health information is HIPAA compliant.  This is simply not true and anyone who is currently using these methods is putting their organization at risk.

HIPAA regulations require that all private health information (PHI) remain private and be only accessible by authorized personnel.  This means that when transmitting PHI two things have to be ensured.  First the PHI needs to be encrypted when being transmitted.  This ensures that PHI remains private even when transmitted over a public network like the Internet.  Second, PHI should only be viewable by the intended recipient and not by any entity that is being used to transport that information.

A good example of a HIPAA compliant method for delivering PHI is the US Postal Service (snail mail).  When a doctor mails a letter containing PHI to a patient both criteria are met.  Since the letter is in a sealed envelope and the seal will only be broken by the recipient, then no one along the transport path has access to the PHI including the postal service itself.

With these criteria in mind lets see why texting and email are not HIPAA complaint.  When an email is sent lets see what is actually happening.  Lets suppose a physician who has and email address like drjones@communityhospital.com sends an email to a patient whose email address is janedoe@gmail.com.  What happens here is that there are two email servers involved with the transmission of this email, one at community hospital and one at gmail.  When Dr. Jones sends the email, his email client on his computer or smart phone connects with his email server at community hospital and transmits the email message to the community hospital server.  Next the community hospital server finds where the gmail server is located on the Internet and then transmits the email to the gmail server using a standard protocol called simple mail transfer protocol (SMTP).  SMTP is the protocol used to transmit information between email servers over the Internet and it is not encrypted.  This is a why message sent via email are not secure and therefore not HIPAA compliant.

The analogy to this would be like mailing a letter without using an envelope.  Anyone handling the letter could read the content of the letter.

What happens if someone at community hospital sends an email to someone else at community hospital?  Is that HIPAA compliant?  This depends on the setup of the community hospital mail server.  If the server only accepts encrypted connections and never accepts connections from its clients that are not encrypted, then this transmission may be HIPAA compliant since the community hospital email server does not have to communicate with an outside server and the communication is only internal.  Even in this situation, it is important to note that for anyone with a communityhospital.com email account, any communication coming from or going to an outside server (i.e. anyone without a communityhospital.com email address) is not HIPAA compliant.

What about texting?  Is texting HIPAA compliant?  First, we need to know that there two types of text messages.  The first is simple message service or SMS messages.  These messages are handled by cell phone carriers.  These messages are not encrypted in transport and can also be read by personnel at the carriers themselves and are therefore not HIPAA compliant.  The second type of text message is sent via a text message service like Apple’s iMessage.  A service like iMessage does encrypt the message in transport, but this information is not handled in a HIPAA compliant manner by Apple which runs the servers for iMessage.  It is for this reason that Apple clearly states that iMessage is not HIPAA compliant.

But email and texting are a very convenient method of communication.  It is for this reason that many providers even knowing that these methods are not HIPAA compliant still use these methods clandestinely.  But with MedTunnel which is a free service that works like email or texting, but is also HIPAA compliant, this is no longer necessary.

How is MedTunnel HIPAA compliant?

The main purpose of MedTunnel is to provide a free, HIPAA compliant, and secure service for transmitting private health information (PHI) through the Internet. The core architecture of our product was designed to meet HIPAA and security guidelines. MedTunnel provides a secure conduit through the Internet for PHI transmission. In fact, our security protocol is such that no one at MedTunnel, even at the CEO level can access PHI even if they wanted to.

Since MedTunnel acts only a secure conduit for PHI transmission and MedTunnel does not have access to any PHI and does not permanently store any PHI, a HIPAA Business Associate Agreement is not required in order to use MedTunnel. For more detailed information regarding our security protocol and HIPAA regulations compliance, please see below.

MedTunnel HIPAA compliant secure transmission protocol

Client transmission to server – when someone sends a message

  1. Client app with PHI (Protected Health Information) establishes a SSL (https using TCP port 443) connection to the MedTunnel server.
  2. PHI is transmitted securely to cloud server using 2048-bit SSL encryption.
  3. The cloud server, immediately upon receipt of PHI, encrypts PHI using AES encryption utilizing 3 separate encryption keys: server generated key, MedTunnel key, and Independent Third Party key.
    • a. All 3 keys are required to encrypt and decrypt any PHI data.
    • b. The server generated key is randomly generated by the server for each message transmitted via MedTunnel so therefore is unique for each message. This prevents brute-force attacks on the data.
    • c. The MedTunnel key is only known by MedTunnel personnel and not known by the Independent Third Party.
    • d. The Independent Third Party key is only known by an Independent Third Party and not known by MedTunnel.
    • e. Neither MedTunnel or Third Party have access to PHI since all 3 keys are required to unencrypt PHI and therefore, MedTunnel only acts as a secure conduit for PHI transmission and is not subject to needing a HIPAA Business Associate Agreement.
  4. After encryption, the encrypted PHI is stored on the MedTunnel cloud storage. Only encrypted data is stored and no unencrypted data is stored.
  5. The data is not stored permanently, but is automatically deleted from the cloud storage after 14 days.

Server transmission to client – when someone retrieves a sent message

  1. Client app requesting PHI establishes an SSL (https) connection to the MedTunnel cloud server.
  2. MedTunnel cloud server retrieves the encrypted message data from the MedTunnel cloud storage and unencrypts it utilizing the 3 required keys.
  3. The PHI is then transmitted to the client app utilizing 2048-bit SSL encryption via https.

Only the sending and receiving client applications have access to PHI.  MedTunnel and the Independent Third Party can not access PHI.

MedTunnel HIPAA Compliance Matrix

Revised 8/11/15