HIPAA

Unencrypted emails

  • 1.  Unencrypted emails

    Posted 06-30-2020 02:26 PM

    How do others handle emails containing PHI that may accidentally get sent out unencrypted?  I would consider this a breach, based on a risk assessment, even if there is no evidence it ended up in the wrong hands.  I would also consider 1 breach affecting 5 patients to be 5 breaches for reporting purposes?



    ------------------------------
    Leigh Wright
    Director of Privacy & Compliance
    Simplified Medical Management
    Tuscaloosa,AL
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Unencrypted emails

    Posted 07-01-2020 10:03 AM
    Hi Leigh,

    Encryption is not required by HIPAA and the definition of a breach of PHI, or an impermissible disclosure of PHI, does not automatically include unencrypted email. Although breaches are somewhat less likely to be caused when using encryption, breaches could occur when using encryption or when not using encryption (based on whether the email is accurately directed to, and received by, the authorized recipient). Determining a breach is more specific to determining whether an impermissible disclosure of PHI has more than a low probability of compromise to the privacy of the information.

    In your scenario, you have 1 breach incident which affected 5 patients for reporting purposes.

    ------------------------------
    Anthony Ambrose, MBA, CHC, CHPC
    Compliance Officer
    Service Access and Management, Inc.
    Lewisburg, PA
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Unencrypted emails

    Posted 07-01-2020 10:24 AM
    To remind some of our newer folks to the world of HIPAA...encryption is not required as it is identified as an addressable implementation specification.

    But here is why it is important to understand that why though it may not be required...it is likely used by default.

    Given that it is not required, organizations can either implement encryption or document why encryption is not reasonable or appropriate...which I think is already something that I would find very, very questionable that people would come to such a conclusion.  Assuming that they did conclude encryption is not reasonable or appropriate...the next step is to implement a safeguard that basically accomplishes the same thing as an alternative equivalent measure.

    So essentially, at this time, there really isn't an alternative equivalent measure to encryption...so it takes you right back to using encryption.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    NEXT UP:
    Auditing and More: 7/3
    Next DCO Group Launch: 7/7

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Unencrypted emails

    Posted 07-01-2020 11:56 AM

    Assuming the email was sent from your organization's system (i.e., your organization has visibility of it), I recommend checking with your IT folks to determine if the email was transmitted via TLS (Transport Layer Security), which would suggest it was encrypted in transit.  Most organizations these days can (and do) configure their email systems to at least attempt TLS as the default, even if the end user doesn't 'force' a secure transmission.  If both systems are, in fact, configured this way, your IT folks should see that the email was encrypted during transmission.  If you learn your organization's systems are not configured this way, see (with the involvement of your IT Security folks) if your IT folks can make the adjustment to prevent future headaches.

     

    Good luck!

    Chris




    This e-mail and any files transmitted with it may contain Privileged or Confidential information and may be read or used only by the intended recipient. If you are not the intended recipient of the e-mail or any of its attachments, please be advised that you have received this e-mail in error and that any use, dissemination, distribution, forwarding, printing, or copying of this e-mail or any attached files is strictly prohibited. If you have received this e-mail in error, please immediately purge it and all attachments and notify the sender by reply of e-mail or contact the sender at the number listed.



    19th Annual CEI Virtual Conference


  • 5.  RE: Unencrypted emails

    Posted 07-01-2020 12:46 PM
    Hello Leigh,

    HIPAA requires a secure method of email transmission, and encryption is certainly a preferred standard.  But it is not an absolute requirement, as there are alternate ways to secure email, such as that sent through a HIPAA compliant email platform that is properly configured. Here is the reference on the HHS website: https://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html

    If you're going to email private information, it is also a good idea to get advance, documented permission from the patient -- and that can be done through language in privacy notices.

    As for the issue of whether a single breach is multiplied by the number of patients who were impacted:  The answer is that a single breach is a single breach. However the number of people involved matters greatly.  For example, if information has been compromised for 500 or more  individuals, the reporting requirements are different from incidents involving smaller numbers.

    To see how the Feds list individual breaches, you can visit the OCR's so-called Wall of Shame:
    https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

    For more information on reporting requirements based on size of the breach, see this webpage: Breach Notification Rule
    HHS.gov remove preview
    Breach Notification Rule
    The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
    View this on HHS.gov >
    https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html#:~:text=If%20a%20breach%20affects%20500,breaches%20on%20an%20annual%20basis.






    ------------------------------
    Diane Evans
    Publisher
    MyHIPAA Guide
    Akron,OH
    devans@myhipaaguide.com
    ------------------------------

    19th Annual CEI Virtual Conference


  • 6.  RE: Unencrypted emails

    Posted 07-01-2020 01:19 PM

    I don't think it's necessarily a breach.  It becomes a breach if the email containing PHI was sent to the wrong person or, after investigation, you conclude that the email was intercepted.  I do consider it a security incident though. 

     

    Chris Apgar, CISSP, C|CISO

    CEO & President

    (503) 384-2538 (o)

    (503) 816-8555 (c)

    (503) 384-2539 (f)

    capgar@apgarandassoc.com

    www.apgarandassoc.com

     

    Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response

    apgarlogofinal2014

    The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.

     




    19th Annual CEI Virtual Conference


  • 7.  RE: Unencrypted emails

    Posted 07-01-2020 04:58 PM
      |   view attached
     
    You have received a secure message
     
    You are receiving this secure email because it is federally mandated that any personal health information that is electronically provided to patients must be secure.

    We at the Community Hospital understand your information is personal and are committed to protecting it.

    If you have concerns about the validity of this message, contact the IT Service Desk at 970-644-3500 with any questions or comments.

    Read your secure message by opening the attachment, securedoc_20200701T145817.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.cisco.com to receive a mobile login URL.

    First time users - will need to register after opening the attachment. For more information, click the following Help link.
    Help - https://res.cisco.com/websafe/help?topic=RegEnvelope
    About Cisco Registered Email Service - https://res.cisco.com/websafe/about

     



    Attachment(s)

    19th Annual CEI Virtual Conference


  • 8.  RE: Unencrypted emails

    Posted 07-01-2020 08:31 PM
    Scot H....you get the Clever Posting of the Day Award!

    Here there is a thread on encryption and emails...and you post...by sending an encrypted email...BRILLIANT!  This is the kind of stuff that makes me know I am not in some of your leagues when it comes to cleverness.  I love it!

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    NEXT UP:
    Auditing and More: 7/3
    Next DCO Group Launch: 7/7

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 9.  RE: Unencrypted emails

    Posted 07-02-2020 08:24 AM
    Just also remember that under the proper circumstances it is also federally mandated that e-maild PHI be sent in an unencrypted format too. 
    (I wonder how long it will be 'till the pitchforks and torches come out this time) Happy Early Friday!
    -Alex-
    Alexander I Slosman, MHA, CHC, CHPC





    19th Annual CEI Virtual Conference