One of the capabilities of many business password managers is the ability to send encrypted messages to any recipient. Often this capability is used to securely share login credentials or other confidential data. But is it okay to share ePHI via a business password manager?
Over the past few years, the capabilities of business password managers – particularly vault-based password managers – have grown significantly. For example, whereas SSO integration was once big news, these days we are talking more about password-less logins and it has been estimated that biometric facial recognition hardware will be present in 90% of smartphones by 2024.
With regards to the ability to send encrypted messages, this first started as a means of sending passwords to users in the same business subscription. It evolved into sending notes, files, and other data to users in the same business subscription, and then further evolved to sending encrypted messages of any kind to any recipient regardless of whether they are using a password manager.
Why Share ePHI via a Business Password Manager?
There are many circumstances when healthcare providers or other members of a Covered Entity´s workforce need to send or request ePHI to or from a colleague or Business Associate. In many cases, the colleague or Business Associate may not be in the same communications network – raising the issue of how to transmit ePHI securely in compliance with the HIPAA Security Rule.
The most common forms of communication – such as SMS, IM, email, etc. – are not suitable because they lack the necessary features to fulfil the requirements of the Technical Safeguards – for example, access controls, automatic logoff, encryption, audit controls, etc. However, most business password managers do have the necessary features to send and receive ePHI compliantly.
These features enable users to share ePHI via a business password manager securely without risking an impermissible disclosure of ePHI and facilitate “the flow of health information needed to provide and promote high-quality healthcare” – a major goal of the HIPAA Privacy Rule. However, in order to share ePHI via a business password manager in full compliance with HIPAA, the vendor of the password manager must sign a Business Associate Agreement. Not all are willing to do so.
Is a Business Associate Agreement Necessary?
In 2016, the Department of Health & Human Services (HHS) published an FAQ regarding whether or not a Cloud Service Provider is excluded from the definition of a Business Associate if the Cloud Service Provider cannot access ePHI stored in the cloud because it is encrypted and the Cloud Service Provider does not have the decryption key.
The answer was that a Cloud Service Provider is not excluded under the “conduit exception rule” because conduits such as the U.S. Postal Service, Fed-Ex, and DHL are transmission services and the temporary storage of PHI while it is in the conduit´s possession is incident to the transmission, while the temporary storage of ePHI with a Cloud Service Provider is persistent.
HHS stated in the FAQ that “a Cloud Service Provider that maintains ePHI for the purpose of storing it will qualify as a Business Associate […] even if the Cloud Service Provider does not actually view the information”. Substitute password manager vendors for Cloud Service Providers, and it is clear a Business Associate Agreement is necessary to share ePHI via a business password manager.
Which Vendors will Sign a Business Associate Agreement?
Not many, despite claiming to have HIPAA-compliant password managers. 1Password and Keeper – the two most popular password managers in the U.S. – both state they do not qualify as Business Associates because of their zero knowledge architectures (which is incorrect). LastPass and NordPass have such incorrect information about HIPAA on their websites that we strongly suspect they don´t understand a Business Associate Agreement is necessary. Most others keep quiet about the issue.
Among those that do publicly state they are willing to sign a Business Associate Agreement, Bitwarden and Zoho Vault are the most well-known. Of the two, Zoho Vault is the most feature-rich; but at nearly 50% more expensive per user than Bitwarden, Zoho Vault could work out to be unnecessarily expensive if you are not going to use all the features you are paying for. Additionally, Bitwarden passed a HIPAA Security Rule Assessment Report conducted by AuditOne in 2020.
In conclusion, it is okay to share ePHI via a business password manager, provided that the password manager has been configured to comply with the Technical Safeguards of the Security Rule and the vendor of the password manager has signed a Business Associate Agreement. If the vendor is unwilling to sign a Business Associate Agreement, it is not possible to share ePHI via a business password manager without violating HIPAA.
The post Is it Okay to Share ePHI via a Business Password Manager? appeared first on HIPAA Journal.