Are Your Practice’s Emails Violating HIPAA?

With the potential for up to $250,000 in fines and up to ten years of imprisonment, violating HIPAA compliance regulations is no small matter. But even with these serious consequences looming many healthcare facilities engage in questionable practices when it comes to the task of sharing patient information, particularly when it comes to email.So here is the question we are raising: Is it against HIPAA Regulations to include patient name, patient ID or subscriber info in an unencrypted email to a vendor?

Most, if not all, medical facilities have vendors for insurance verification, medical records, patient payments, patient billing, etc. If the facility has a question for their vendor in regards to a particular patient transaction with that vendor, is it against HIPAA Regulations to include patient name, patient ID or subscriber info in an email to the vendor?

Obviously, emailing vendors with patient info is not best practice, but does it violate HIPAA regulations?  When I posed this question to colleagues surprisingly many felt the situation seemed to fall into a grey area. To discuss this we must first break down the situation.  What constitutes Protected Health Information (PHI)?  Is PHI being sent?

What constitutes as PHI?

Under the HIPAA Privacy Rule, protected health information (PHI) refers to “individually identifiable health information.”  Individually identifiable health information is that which can be linked to a particular person.  Specifically, this information can relate to:

•    The individual’s past, present or future physical or mental health or condition,

•    The provision of health care to the individual, or,

•    The past, present, or future payment for the provision of health care to the individual.

Common identifiers of health information include names, social security numbers, addresses, and birth dates.

Is PHI being sent?

Sending an unencrypted/unsecure email saying something like “I have a question about Keyser Soze’s payment on 9/2/2013…” in itself is not a HIPAA violation.  The email simply states this person made a payment on this date, thus it does not violate HIPAA regulations. However, if that unencrypted email continues on to mention a diagnosis or procedure then there is a problem.

The 2013 Cost of Data Breach Study shows that human errors were the cause of 35% of breaches in 2012 due to employees mishandling confidential data. It is imperative employees understand and know HIPAA regulations.  These fines can range anywhere from $100 -$50,000 per violation, even when the individual did not know that he/she violated HIPAA.

The best safeguard is to send encrypted emails. Encrypted emails protect patient information so that only the intended recipient can access the email.

How do you encrypt an email? The process is different depending on which type of email client you are using. Here is a great article by
PCWorld.com on encrypting emails.

For more information on how to encrypt emails contact your email client for help walking through the process.

Allowing practice staff to continually operate in the “grey area” of HIPAA compliance puts the entire organization at great risk of fines or even imprisonment.

Sources : www.hhs.gov, www4.symantec.com, www.ama-assn.org