Email: The Biggest Culprit of HIPAA Noncompliance

Email: The Biggest Culprit of HIPAA Noncompliance

by Alex Hirsch (SU)

In our last blog, I made a passing mention of how email is a potential source of compromised ePHI (electronic protected health information). In fact, the professional email accounts of medical employees are the MOST common source of vulnerability.

In today’s article, we take a closer look at why that is, how one wrong click can have a devastating impact on your organization, and where strict HIPAA compliance plays a key role in keeping everyone involved safer.

HIPAA, Email, and the Case of Butler County, Ohio

No matter how many advances in technology we as a society have made, email still remains the go-to method of communication across health care facilities and departments – both internal and external. Because the use of email is so common, HIPAA compliance needs to start there, and that means staying within the most recently updated regulations. 

It was only recently when an employee of Butler County, Ohio, was suspended after emailing a spreadsheet containing personal information of county employees. The document included hidden columns with personal information of 1,350 employees. 

The HIPAA breach included employee names, insurance identification numbers, and information about their participation in the county Wellness Program. The spreadsheet did not include any passwords or social security numbers.

It was determined that there was no nefarious intent. Nevertheless, this leak affected many people in a way that finally warranted suspension of the employee, several months after the fact.

HIPAA and Email Security

HIPAA email compliance starts with secure messaging. With secure messaging, facilities are able to send multiple types of media in an encrypted form that protects both the sender and the recipient. 

According to the updated HIPAA regulations, it is strongly recommended that all data be encrypted both in transit and at rest. Health care facilities are required to guard against any unauthorized access to patient health information (PHI) of any kind, over any channel. 

This mandate, of course, includes email. This type of data protection is especially important because of how widely email is used. Without proper HIPAA-compliant email security, unencrypted data transmission leaves PHI vulnerable and open to potential compromise. Once installed, HIPAA-compliant email security software allows all staff to safely communicate patient PHI to people either inside or outside the hospital or practice, and to both staff and patients.

It’s important to remember that, according to the U.S. Department of Health & Human Services (HHS), the Security Rule does not say that providers must never use email to send ePHI. However, practices and medical providers are required to have (and implement at all times) strict policies to control and protect the security and integrity of this information, and to prevent unauthorized access. 

These requirements are delineated in the following codes:

  • Access: 45 CFR § 164.312(a)
  • Integrity: 45 CFR § 164.312(c)(1)
  • Transmission: 45 CFR § 164.312(e)(1)

The transmission standard includes specifications for encrypting data. The practice must therefore analyze its usage of open networks, identify how to protect the transmission of all ePHI, determine the proper solution, and document the solution.

“The Security Rule allows for ePHI to be sent over an electronic open network as long as it is adequately protected.”

This portion of the regulation is particularly worth keeping in mind.

HIPAA stipulates that not only must the sending of messages be encrypted, but all components of a facility’s mail exchange must be encrypted as well. The security of routers, mail servers, sender inboxes, and even recipient inboxes can be handled by implementing HIPAA-compliant email security.

Consultants in Email Compliance for Your Medical Practice

Is your company protected to the fullest extent that the law requires? Don’t be held liable for a data breach. Request a consultation on what can be done to secure your internal and external communications. You can also call us at (800) 733-6379.

We will make sure you’re in compliance with HIPAA, obeying the law, and – most importantly – keeping your client and employee data safe.