HIPAA and eMail: A Compliance Nightmare?

MattFisherSecurity Focuses on Protections and Safety Measures

By Matthew Fisher
Twitter: @matt_r_fisher

In the world of HIPAA, concerns of privacy and security are of paramount importance. Privacy focuses upon how protected health information (“PHI”) may be used or disclosed. Security focuses upon protections and safety measures implemented to protect the privacy of PHI. One of the biggest risks posed to both the privacy and security of PHI is email. The use of email is common place and widespread in both business and everyday life. However, consideration must be given to when and/or how PHI may be transmitted via email.

Generally, email transmits information in an electronic and unprotected form. The sender types a message, enters a recipient’s address, and hits send. Once the message is sent, it is communicated over the internet in an unencrypted fashion. If the email were unintentionally sent to the incorrect recipient or intercepted by any other person, the unintended recipient or intervening party would likely be able to read the message. If that were to occur, it would probably be considered a breach of the HIPAA requirements.

In light of the risk posed by email, a threshold question of whether the PHI even needs to be sent by email should be asked. If the answer is no, then an entity may avoid the headaches of determining whether its email system complies with HIPAA, though it should still consider security measures for the alternative method used. For instance, a telephone call may be sufficient in certain circumstances and offers the opportunity to avoid sending PHI by email. Another question to ask is whether it is even necessary to include PHI in the email. Can the email be drafted in a way that does not include the hallmarks of what constitutes PHI? If PHI does need to be included in the email, can the amount be limited. Always remember that the minimum necessary requirement should guide the extent of disclosure of PHI.

In the event that email will be used, the HIPAA Security Rule sets forth certain technical safeguards to ensure the protection of PHI. From this perspective, the Security Rule contains the minimum necessary requirements to ensure proper security. It is important to remember that the Security Rule calls for reasonable protections. Accordingly, compliance is not a one-size fits all approach. Instead, each organization needs to consider its own operations and vulnerabilities and then craft its security policies to fit its needs.

The Breach Notification Rule, another part of the HIPAA regulatory scheme, provides a major carrot for encryption because notification in the event of a breach is only specifically required for unsecured PHI. If electronic PHI is encrypted, then it is considered secured and any unpermitted use or disclosure will not necessarily result in the full scope of the breach notification rule coming into play.

Given the confluence of the Security Rule and Breach Notification Rule, as a first step any email containing PHI should likely be sent in an encrypted manner. This could mean, among other things, using a service that allows for the transmittal of secured emails or some other ability to encrypt the actual email being sent.

However, the simple message of encrypt your emails is not the end of the story. Encryption may not always be possible, or arguably even required. As indicated above, the Security Rule adopts a flexible approach, combining required and addressable components. Depending upon the size and sophistication of the entity, potentially encryption may not be a viable option. I would not put much stock in this argument going forward though given the prevalent discussion of this issue and the increasing number of options for “HIPAA compliant” messaging. An entity may also consider the level of risk involved in sending the PHI to a particular destination. If a good faith argument can be made that the level of risk is low, then maybe that is a factor in favor of not needing encryption. One good tip would be to always verify the address of the individual and/or entity where the PHI is being sent. All of us have been guilty of sending a message to the wrong person at one time or another, but if that mistake can, at all, be limited to instances where PHI is not transmitted, then HIPAA will not need to be considered.

One important exception to security must be brought into focus. Under HIPAA, individuals are entitled to request how they want to receive their own information. For example, if an individual requests a copy of their PHI and the PHI is maintained in an electronic form, the copy is also to be provided in electronic form. Further, when the electronic version is sent, it is to be sent in the manner specifically requested by the individual. This means that an individual can ask for the PHI to be sent via email in any manner desired by the individual. For example, if I wanted to receive my PHI from my physician, I could request that the information be sent to my Gmail account. Generally, Gmail is not encrypted and as such would not be a secure form to receive the information. However, the physician I contact must follow my instructions. As such, in this instance, the PHI may be sent in an unsecure manner.

Just because an individual is entitled to request how their PHI is sent to them, it would still be advisable for the entity subject to HIPAA’s requirements to advise the recipient of the dangers and to fully document the individual’s specific request in their records to avoid potential issues down the road. Remember, the individual may not recall the specifics of their request and it may be easy to point the finger down the road. Contemporaneous documentation, therefore, can gain a lot of importance.

As this brief discussion demonstrates, nothing is every simple or black and white when it comes to HIPAA. Do not assume that HIPAA will prevent certain actions. Consider the request or question, review policies and procedures that are in place, and if necessary go back to the regulations or available guidance. A detailed understanding of the regulations is necessary for an entity to remain in compliance and keep everyone that it interacts with happy.

About the author:  Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA.  Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.