Oct
21
E-mail encryption
By
Is it considered a violation of the privacy rule or a breach if a business associate sends an unsecure unencrypted e-mail containing PHI, including names and SSNs?
The assumptions are that: the e-mail was sent to an authorized individual, and that it meets the minimum necessary rule. The topic for discussion: Is an unencrypted e-mail considered a breach?
Phyllis Haag
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Our policy has always been to encrypted PHI and we hold our business associates to that policy also.
It has been our understanding that the sender of the PHI can not be assured of the security of the email while it is in transit to the receiver if it is being transmitted over the internet.
Phyllis,
The sending of the email, in and of itself, is not a violation. The key is whether a covered entity’s risk assessment and analysis, in conjunction with the consideration of encryption as an addressable specification under the Security Rule, has determined and supported the covered entity’s decision not to encrypt email.
Keep in mind that there are many encryption methods available that are easy and cost effective. To that end, it may be exceedingly difficult for a covered entity to show how its decision not to encrypt may be a good one.
Good luck!
The BA in this case did have an email encryption policy and method in place at the time the incident occured and they notified us immediately – so there are no woriies there. Where my concerns lie are with the new breach requirements under HITECH. Would we need to send notice?
I have posed the same question to our attorney’s but I very interested to learn what others in the industry think about this situation.
Thank you for all your great feedback.
Phyllis
Can’t remember where, but I read somewhere that if the e-mail is in a group like a large health care campus. Encryption is not likely needed.
I understood that if emails sent outside the group e-mail, this would/could be potentially vulnerable to hackers.
Also keep in mind that though a covered entity that is not encrypting can certainly be in a position where they are in compliance with the Security rule (by implementing other safeguards that provide equivalent protection exclusive of encryption) but can still be in a position to complete notifications under the HITECH Act requirements if a breach occurs.
Frank
What did the lawyer’s say?
Finn,
With all due respect to the legal community, I would be doubtful that a lawyer would disagree that many of the comments offered on this question given how encryption is presented in the Security Rule.
Sincerely,
Frank
We are approached every week by healthcare providers to help with this very concern. Negative exposure from a data breach can lead to reduction in patient and physician confidence, civil lawsuits and government fines. If you create the content and email it to a business associate or partner, and that email is intercepted, and patient information is breached, then it is potentially your HCO’s name that appears on the data breach report, HHS website, press release about the breach, etc.
Unencrypted emails that contain patient and/or confidential information is a risk every time. If you would not write it on the back of a postcard and send for everyone to read, then do not send the content in an unencrypted email.
Just my 2 cents.
Nicole Shingler
nicole.shingler@stonebranch.com
Let’s do keep in mind that a key here is how a covered entity’s designated individuals have assessed those risks associated with the emailing of PHI.
If some folks subscribe to the postcard analogy that was used by the previous poster, then it is likely that covered entity will assign a much higher risk than a covered entity that may subscribe to a different perspective.
To give some reference, I challenged many people who often said that sending an email is like sending a postcard where it could be intercepted, etc, etc, etc.
I sent an email with an unencrypted message to an email account and offered a significant “reward” to anyone who could indicate what was in the email. It was a fun exercise in that many folks on some level saw that perhaps the intercepting of emails, etc was not as easy as people seemed to believe.
The bottomline, covered entity’s should give this adequate attention and consideration. However keep in mind that encryption is becoming so inexpensive (even free if one decides to use the encryption options often available in applications), it makes sense to add this additional element of security for all parties involved
Frank
I agree with Frank in that encryption is getting extremely cost effective and if a breach occurs you had better have a good explanation of why you decided not to encrypt your ePHI.
I just got off the phone with an attorney that specializes in HIPAA Security Rule and we spoke directly about emailing ePHI. He let me know HIPAA doesn’t require it (we know that), but you would have to have very convincing evidence as to another solution. Some of the other solutions are training the employees who handle ePHI, or creating a secure tunnel to a Business Associate you interact with (and send ePHI). In our case, neither were options b/c of the sheer volume of emails with ePHI we send out to the almost 100 of insurance companies.
He also noted that just because you comply with the Security Rule, it doesn’t mean you are covered with the Privacy Rule or Breach Notification in regards to email. The example he gave is this:
We could have a full scale encryption solution implemented, our staff trained extensively and our Policies and Procedures air tight, but if one of our employees sends ePHI to the wrong recipient, it may still be a violation. Most email encryption companies replace the message with a web link for the recipient to register and log into and retrieve that message. It doesn’t confirm the identity of the intended recipient so anyone who mistakenly receives that email can register and access the email. In this case, we have done everything reasonable to comply with the Security Rule, but this example violated the Privacy rule and, after an investigation, we may still need to notify those affected of a breach.
Drives you nuts, but there it is. I hope this helps!
Alex Golimbievsky
Hey Phyllis…glad to see you’re still out there kickin’! If you haven’t seen it already, HCPro put out a great whitepaper on the interim final rule. Title is “HHS Breach Notification Interim Final Rule”. Take care, Kim