Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks
When ePHI travels across a network, it is vulnerable to interception. Unencrypted ePHI sent over email, transferred via HTTP, or transmitted across the internet without protection has been breached the moment it is captured by an unauthorized party, even if no one has viewed it yet. HIPAA requires covered entities to implement encryption for ePHI in transit and integrity controls to detect if transmitted data has been modified in transit. In practice, TLS is the baseline requirement for all ePHI transmission.
Implementation steps
- 1
Encrypt all ePHI transmitted over networks
Require TLS 1.2 or higher for all transmission of ePHI over any network, including internal networks. Disable older protocols (SSL, TLS 1.0, TLS 1.1) on all systems. Apply this to web applications, APIs, database connections, file transfers, and email. For email transmission of ePHI to external parties, use S/MIME, PGP, or a secure email gateway.
aws-acm azure-tls zscaler proofpoint mimecast - 2
Protect ePHI in email communications
Email is a common channel for healthcare communications but is inherently insecure. Implement a secure email gateway that encrypts outbound email containing ePHI. Train workforce members to recognize when ePHI is being included in email and to use secure channels. Consider patient portal messaging as an alternative to email for patient-provider communications.
proofpoint mimecast microsoft-defender-for-office zixmail - 3
Secure remote access to ePHI systems
When workforce members access ePHI systems remotely (from home, traveling, or at partner facilities), require encrypted VPN or zero-trust network access solutions. Ensure that ePHI is not transmitted over unencrypted public Wi-Fi without VPN protection. Verify remote access configurations regularly.
cisco-anyconnect zscaler cloudflare-access aws-vpn - 4
Verify integrity of transmitted ePHI
For high-stakes ePHI transmissions such as care summaries, lab results, and prescriptions, implement integrity verification to detect if data was modified in transit. TLS provides integrity checking during transmission. For file-based transfers, include checksums or use protocols that verify file integrity on receipt.
confluence
Evidence required
TLS configuration evidence
Evidence that ePHI systems require TLS and that weak protocols are disabled.
- - SSL/TLS scan results showing TLS 1.2+ and disabled older protocols
- - Web server or load balancer TLS configuration
- - API gateway TLS policy
Secure email configuration
Evidence of email encryption for ePHI transmission.
- - Secure email gateway configuration
- - Email encryption policy
- - Patient portal usage as alternative to email
VPN or remote access configuration
Evidence that remote access to ePHI requires encrypted connections.
- - VPN policy and configuration
- - Zero-trust access policy requiring encryption
Related controls
Implement technical policies and procedures to allow access to ePHI only to authorized persons or software programs
Access Control
Implement policies and procedures to protect ePHI from improper alteration or destruction
Integrity
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users
Workstation Security
Implement hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI
Audit Controls