Are healthcare providers violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 when a patient's protected health information is e-mailed?1 They could be if they are not complying with the HIPAA Security Rule.2 Nonadherent healthcare providers could face sizeable monetary penalties. To help healthcare providers avoid these penalties, this article focuses on an overview of the HIPAA Security Rule and specific steps that can be taken to safeguard patients' protected health information.
Protected health information and electronic protected health information
HIPAA's Privacy Rule requires healthcare providers to maintain the confidentiality of a patient's protected health information (PHI).3 PHI is information that is created or received by certain healthcare providers, health plans, or healthcare clearinghouses that relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; the past, present, or future payment for the provision of healthcare to an individual; or information that identifies an individual or where there is a reasonable basis to believe the information can be used to identify an individual.4 PHI includes an individual's demographic information, such as age, date of birth, Social Security number, address, telephone number, or other information that could reasonably be used to identify an individual.4
Electronic protected health information (ePHI) is regulated by the HIPAA Security Rule and specifically applies to PHI that is either: stored electronically, including storage devices, such as hard drives and removable and transportable memory devices (magnetic tapes, optical discs, thumb drives, or memory cards); or transmitted from the storage devices described above via the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, or by the physical movement of removable/transportable electronic storage media.5 The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of ePHI.6
Conveying PHI in paper format, by facsimile, by telephone, or in person is not considered to be a transmission via electronic media because the information exchanged did not exist in electronic form before the transmission.4 PHI in paper form is not regulated by the HIPAA Security Rule but rather by the HIPAA Privacy Rule.
E-mailing PHI
Healthcare providers must conduct themselves within the parameters of their Notices of Privacy Practices (NPP).7 Each healthcare provider's NPP must be individualized to reflect how PHI will be used and disclosed in their practice setting. Before e-mailing PHI, healthcare providers should ensure their NPP allows for such e-mail transmissions. If an office's NPP provides that PHI may not be transmitted via e-mail without an individual's prior written consent, the healthcare provider must obtain a patient's consent prior to e-mailing PHI. All patients' written consents for e-mail transmissions should be maintained as part of the patients' medical records.
Consider alternatives to e-mailing. Before e-mailing PHI to a patient or another healthcare provider, always consider whether the information could be conveyed just as effectively if delivered personally or by telephone rather than by e-mail. Placing a telephone call to a patient or another healthcare provider may be just as effective, and because there is no electronic transmission of PHI, the healthcare provider is not subject to the requirements of the HIPAA Security Rule.
Who is the intended recipient? Before sending PHI electronically, take a precautionary step and send a test e-mail to confirm the e-mail address is correct. When e-mailing to a patient's home e-mail address, healthcare providers must ensure the address is not accessible by other individuals, such as a joint spousal account or a family e-mail address. For e-mail transmissions to a patient's personal e-mail address, always confirm the correctness of the e-mail address with the patient, and document accordingly in the medical record.
To encrypt or not to encrypt? HIPAA does not require, but encourages, healthcare providers encrypt PHI when transmitting PHI electronically.8 Healthcare providers should, however, evaluate the cost of taking appropriate security measures, including hardware and software encryption costs, and the probability of potential risks of transmitting ePHI. If the decision is made to invest in encryption software, only vendors that are National Institute of Standards and Technology compliant should be considered.
If patients request that unencrypted PHI be sent to them via e-mail, healthcare providers should advise them of the risk that the ePHI could be read by a third party as a result of the electronic transmission.9 If patients are advised of this risk and still prefer unencrypted e-mail, they have the right to receive the unencrypted PHI per their request, and healthcare providers are not responsible for unauthorized access of PHI during such transmissions.9 Healthcare providers should document in the medical record that the risk of sending unencrypted e-mail to a patient was explained, and the patient continued to request that unencrypted PHI be sent.
Learn from others' security data breaches
The U.S. Department of Health and Human Services' Office for Civil Rights is responsible for investigating and enforcing HIPAA breaches. In January 2015, one of the biggest HIPAA security breaches involved Anthem Insurance Company, which was previously known as WellPoint, Inc. The Federal Bureau of Investigation investigated the data breach, which involved approximately 37 million records and affected close to 78.8 million individuals. While the persons responsible for the cyberattack have not been identified, it is widely believed to have been a state-sponsored attack by Chinese hackers.10
Although the Anthem cyberattack was an unprecedented security breach of health information, many HIPAA breaches result when electronic media are breached, improperly disposed of, misplaced, or stolen. For example:
* In 2013, Anthem, Inc. (known as WellPoint, Inc. at the time) paid the federal government $1.7 million for a 2010 security breach of an online database, causing the ePHI of over 612,402 individuals to be accessible to the public over the Internet.11
* Affinity Health Plan was required to pay the federal government $1.2 million when the plan failed to wipe a copy machine hard drive clean after the equipment lease expired. This resulted in the ePHI of over 340,000 individuals being accessed.12
* Idaho State University was fined $400,000 in 2013 after a disabled software firewall left 17,500 patients' ePHI unsecured for over 10 months.13
* Adult and Pediatric Dermatology, P.C. paid $150,000 when an unencrypted thumb drive containing the ePHI of 2,200 patients was stolen from a staff member's vehicle.14
Practical steps to ensure the security of ePHI
Follow these steps to ensure ePHI is secure when sent via e-mail:
* Establish office policies and procedures to maintain the security of PHI (including who has access to PHI, policies on e-mailing ePHI, and disposal of electronic media).
* Blind carbon copy recipients on e-mails when communicating with multiple individuals.15 Failure to do this allows all e-mail recipients to learn the identity of others receiving the e-mail. Errors such as this have led to the U.S. Department of Health and Human Services' Office for Civil Rights imposing corrective actions on organizations and individual physicians. For example, in California, Tulare County Health & Human Services Agency improperly disclosed the identity of 845 individuals; St. Francis Hospital in Georgia violated HIPAA by disclosing 1,175 individuals' e-mail addresses in a joint e-mail; and Dr. Jeff Spiegel, a physician in Massachusetts, exposed the identity of 832 individuals when sending out promotional information.16
* Check recipients' e-mail addresses and attachments before sending, particularly before sending numerous files to numerous recipients.15 This was not done when a private medical office practice attached confidential information of 10,200 current and former patients in an e-mail sent to 200 patients. Included in the attachment were the names, home addresses, appointment dates, scheduling codes, primary physicians, referring physicians, and e-mail addresses of 10,200 individuals.17
* Evaluate the costs/benefits of encrypting office computer systems. If it is too costly, consider nonelectronic means of communicating information to patients.
* Avoid sending PHI to/from a personal e-mail account.15 In Pennsylvania, a physician e-mailed unencrypted PHI to his personal e-mail account in order to finish analyzing data at home. After the physician was notified of the inappropriateness of this by the hospital, the physician contacted his home e-mail provider to delete the PHI from his home computer.18
* Instruct all employees to immediately contact the information technology staff if they suspect a possible breach of data.
Common sense approaches to the use and disclosure of PHI, along with establishing office policies and procedures that all staff is trained in, will go a long way in maintaining the privacy of patient PHI and minimize HIPAA security breaches.
REFERENCES