HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Oct
21

E-mail encryption

Email This Post Print This Post

Is it considered a violation of the privacy rule or a breach if a business associate sends an unsecure unencrypted e-mail containing PHI, including names and SSNs?

The assumptions are that: the e-mail was sent to an authorized individual, and that it meets the minimum necessary rule.  The topic for discussion: Is an unencrypted e-mail considered a breach?

Phyllis Haag

Comments

  1. Our policy has always been to encrypted PHI and we hold our business associates to that policy also.
    It has been our understanding that the sender of the PHI can not be assured of the security of the email while it is in transit to the receiver if it is being transmitted over the internet.

  2. Frank Ruelas says:

    Phyllis,

    The sending of the email, in and of itself, is not a violation. The key is whether a covered entity’s risk assessment and analysis, in conjunction with the consideration of encryption as an addressable specification under the Security Rule, has determined and supported the covered entity’s decision not to encrypt email.

    Keep in mind that there are many encryption methods available that are easy and cost effective. To that end, it may be exceedingly difficult for a covered entity to show how its decision not to encrypt may be a good one.

    Good luck!

  3. Phyllis Haag says:

    The BA in this case did have an email encryption policy and method in place at the time the incident occured and they notified us immediately – so there are no woriies there. Where my concerns lie are with the new breach requirements under HITECH. Would we need to send notice?

    I have posed the same question to our attorney’s but I very interested to learn what others in the industry think about this situation.

    Thank you for all your great feedback.

    Phyllis

  4. KyCricket says:

    Can’t remember where, but I read somewhere that if the e-mail is in a group like a large health care campus. Encryption is not likely needed.
    I understood that if emails sent outside the group e-mail, this would/could be potentially vulnerable to hackers.

  5. Frank Ruelas says:

    Also keep in mind that though a covered entity that is not encrypting can certainly be in a position where they are in compliance with the Security rule (by implementing other safeguards that provide equivalent protection exclusive of encryption) but can still be in a position to complete notifications under the HITECH Act requirements if a breach occurs.

    Frank

  6. FINN MULLIN says:

    What did the lawyer’s say?

  7. Frank Ruelas says:

    Finn,

    With all due respect to the legal community, I would be doubtful that a lawyer would disagree that many of the comments offered on this question given how encryption is presented in the Security Rule.

    Sincerely,
    Frank

  8. We are approached every week by healthcare providers to help with this very concern. Negative exposure from a data breach can lead to reduction in patient and physician confidence, civil lawsuits and government fines. If you create the content and email it to a business associate or partner, and that email is intercepted, and patient information is breached, then it is potentially your HCO’s name that appears on the data breach report, HHS website, press release about the breach, etc.

    Unencrypted emails that contain patient and/or confidential information is a risk every time. If you would not write it on the back of a postcard and send for everyone to read, then do not send the content in an unencrypted email.

    Just my 2 cents.

    Nicole Shingler
    nicole.shingler@stonebranch.com

  9. Frank Ruelas says:

    Let’s do keep in mind that a key here is how a covered entity’s designated individuals have assessed those risks associated with the emailing of PHI.

    If some folks subscribe to the postcard analogy that was used by the previous poster, then it is likely that covered entity will assign a much higher risk than a covered entity that may subscribe to a different perspective.

    To give some reference, I challenged many people who often said that sending an email is like sending a postcard where it could be intercepted, etc, etc, etc.

    I sent an email with an unencrypted message to an email account and offered a significant “reward” to anyone who could indicate what was in the email. It was a fun exercise in that many folks on some level saw that perhaps the intercepting of emails, etc was not as easy as people seemed to believe.

    The bottomline, covered entity’s should give this adequate attention and consideration. However keep in mind that encryption is becoming so inexpensive (even free if one decides to use the encryption options often available in applications), it makes sense to add this additional element of security for all parties involved

    Frank

  10. Alex Golimbievsky says:

    I agree with Frank in that encryption is getting extremely cost effective and if a breach occurs you had better have a good explanation of why you decided not to encrypt your ePHI.

    I just got off the phone with an attorney that specializes in HIPAA Security Rule and we spoke directly about emailing ePHI. He let me know HIPAA doesn’t require it (we know that), but you would have to have very convincing evidence as to another solution. Some of the other solutions are training the employees who handle ePHI, or creating a secure tunnel to a Business Associate you interact with (and send ePHI). In our case, neither were options b/c of the sheer volume of emails with ePHI we send out to the almost 100 of insurance companies.

    He also noted that just because you comply with the Security Rule, it doesn’t mean you are covered with the Privacy Rule or Breach Notification in regards to email. The example he gave is this:

    We could have a full scale encryption solution implemented, our staff trained extensively and our Policies and Procedures air tight, but if one of our employees sends ePHI to the wrong recipient, it may still be a violation. Most email encryption companies replace the message with a web link for the recipient to register and log into and retrieve that message. It doesn’t confirm the identity of the intended recipient so anyone who mistakenly receives that email can register and access the email. In this case, we have done everything reasonable to comply with the Security Rule, but this example violated the Privacy rule and, after an investigation, we may still need to notify those affected of a breach.

    Drives you nuts, but there it is. I hope this helps!

    Alex Golimbievsky

  11. Kim Johnson says:

    Hey Phyllis…glad to see you’re still out there kickin’! If you haven’t seen it already, HCPro put out a great whitepaper on the interim final rule. Title is “HHS Breach Notification Interim Final Rule”. Take care, Kim

  12. There is some wonderful info here I can certainly take note

  13. Frank Ruelas says:

    Phyllis,

    I just realized after watching this thread that I didn’t offer a response to the question:
    “…The assumptions are that: the e-mail was sent to an authorized individual, and that it meets the minimum necessary rule. The topic for discussion: Is an unencrypted e-mail considered a breach?…”

    I believe we have covered the required vs addressable aspects of sending email with respect to encryption.

    You also asked if a notice would need to be sent. A key point to consider is whether a breach occurred to include using the harm threshold approach identified in the HITECH Act guidance which takes into account financial, reputational, or other harm.

    If not, then you would not need to send a notice from this perspective. You would also not have to log the breach on the log which you use throughout the year that needs to be submitted annually.

    Frank

  14. Phyllis Haag says:

    Frank,

    I agree with your statements and that is the direction we have taken.

    Thank you Frank and everyone who has participated in this thread. The information shared here has been invaluable.

    Thanks you all again!

    Phyllis

  15. thinking is flawed here, sorry but i dont agree

  16. Frank Ruelas says:

    Meredith,

    I am glad to read that you offered your comment. When folks don’t agree, in my opinion, this often leads to some of the most useful and beneficial dialogue within these blogs because it can show how we defer in our respective thinking and approaches to a central question that was posed.

    So please….do go on and expand on your response as this may shed some light to us who read it on your thinking and why you disagreed.

    Frank

  17. Mike Dorbad says:

    Doea anyone have any insite on the following issues:

    1. Is it OK to respond to an unencrypted email from a patient that is asking me to confirm their appointment.
    I’m thinking, no breach because even if the information was intercepted, It would not pose a significant risk to the patient.

    2. Is it OK for patients and clinitians to text each other in regards to patient care issues?

  18. Mike Dorbad says:

    Does anyone have any insite on the following issues:

    1. Is it OK to respond to an unencrypted email from a patient that is asking me to confirm their appointment?
    I’m thinking, no breach because even if the information was intercepted, It would not pose a significant risk to the patient.

    2. Is it OK for patients and clinitians to text each other in regards to patient care issues?

  19. Frank Ruelas says:

    Mike,

    Keep in mind that covered entities have a responsibility to safeguard privacy of PHI that they receive or disclose.

    One approach I am seeing more and more is that patients are agreeing with covered entities to receive emails or text messages that soley contain information related to an upcoming appointment. The messages are very brief and only specific to appt date, time, and a number to call with any questions.

    Example of text or email message sent to me:

    “Reminder. You have an appt scheduled for 1/23/10 at 1:00 PM. If you have any questions please call 555-555-5555.”

    Frank

  20. everson says:

    This is a great discussion on this highly nuanced issue. I hope some folk are still following the thread. I work for a 3rd party lab provider and we are debating this very issue heavily.

    I see physicians at major institutions sending all sorts of PHI via unencrypted email on a nearly daily basis. We are trying to prevent our staff from furthering the problem via forwarding or replying to these incoming messages.

    The points that I have made are similar to many of the previous posters:

    Sending an unencrypted email is exactly like sending a postcard! You have no way of knowing who may have viewed or accessed the info. I believe the law states that the burden of proof is on the Covered Entity to show that no one accessed or used the info. (A returned snail mail letter for example). This is nearly impossible with an email.

    To Frank’s earlier point on it being hard to intercept an email. This is true to a point. You have no way of knowing how many mail servers are involved in the transaction. It could be yours and theirs or it could be many others others. What if they have a mail archiving service in place? All of your PHI is now in their digital archive? Any mail admin could see it if they so chose and you would never know.

    For a random third party to intercept the message is pretty hard. For an insider who does not have need to know it could be quite easy. (Mail admins have tools to read your emails! These are needed for debugging and/or compliance monitoring.) If an upstream ISP is performing debugging or testing and they read your message with PHI it is a breach. The problem is you will never know that this occurred until the information is used improperly!

    The only way to be sure that no one can intercept the message in flight from a technical point of view is to encrypt it. Of course this does nothing to ensure that the intended recipient received it so you could still potentially have a breach on your hands.

    Another concern that I have is what do I do with all of the incoming disclosures?

    Is anyone aware of of requirements to report on these?

    If my staff did not commit the breach am I obligated to track and report it?

    How does one notify one’s customers that they may be in violation of HITECH and HIPAA if not their own institutions policies?

    Talk about a quagmire. I have not seen any discussion of these topics and would love some guidance if any one has anything that they could point me to.

    Thanks!

    -everson

  21. Frank Ruelas says:

    Everson,

    A nice take away from your postings is that I detect a nice illustraion on how different folks see the same thing. Thanks for sharing.

    You asked for some input on a number of topics so I would like to offer at least the following:

    - Physicians sending unencrypted PHI through email.
    If your organization has a policy against this practice, enforce it. Being aware of noncompliance and not taking steps to correct it is a difficult position to have to defend. If not, be ready to tell a good story on why the decision, derived through the organization’s risk assessment and analysis decided not to encrypt.

    - If your staff does not commit a breach, I can’t see a reason for reporting this under the HITECH Act. However, if your staff commits an unauthorized disclosure or performs unauthorized access, there may be some actions you need to take (such as record this in an accounting of disclosures for the affected individuals) which are exclusive of breach notification requirements.

    - Notifying entities that may be in violation. A simple and simple communication may be in order. Be prepared with the who, what, why, when,where, and how that contributed to your conclusion that a violation has occurred so that the entity may respond if it decides to do so with internal actions to prevent a recurrence.

    Good luck!
    Frank

  22. Elizabeth says:

    Our policy is to always encrypt ePHI at rest and in transit. However, when sending an email reminder that its time to schedule a needed appointment, does the email address and name need to be encrypted? This process equates to sending an annual postcard that its time for your annual exam.

    Under HIPAA privacy, this “disclosure” was allowed. With HIPAA Security, encryption is addressable but under HITECH it becomes required – but at what level?