Privacy Officer's Roundtable

Unencrypted emails

  • 1.  Unencrypted emails

    Posted 06-30-2020 02:26 PM

    How do others handle emails containing PHI that may accidentally get sent out unencrypted?  I would consider this a breach, based on a risk assessment, even if there is no evidence it ended up in the wrong hands.  I would also consider 1 breach affecting 5 patients to be 5 breaches for reporting purposes?

    Leigh Wright
    Director of Privacy & Compliance
    Simplified Medical Management
    SCCE Membership

  • 2.  RE: Unencrypted emails

    Posted 06-30-2020 02:38 PM
    I generally see unencrypted e-mails that go to the correct recipient as a violation of policy and a breach under HIPAA (encryption or it's equivalent being required). However, if the recipient was the correct recipient then, for me, that would not reach a level higher than a Low Probability of Compromise (LP of C), so therefore not reported. If the email, containing PHI was sent to an unknown e-mail address and was unencrypted, then to me, that would likely be higher than a LP of C.

    I would not consider 1 breach of 5 individuals data to be 5 breaches. I would consider it 1 breach affecting 5 individuals - this is because it is implied by OCR - If 1 breach with more than 500 individuals affected, you notify immediately. they do not say it is 500 separate breaches.

    David Rothery, CHC, AWI-CH
    Compliance & Privacy Officer
    Health & Human Services
    Marin County, CA

    These are my personal opinions and not those of the County of Marin

    SCCE Membership

  • 3.  RE: Unencrypted emails

    Posted 06-30-2020 03:27 PM

    I agree with David!



    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

    SCCE Membership

  • 4.  RE: Unencrypted emails

    Posted 06-30-2020 02:45 PM
    If you concluded a breach then it's a breach.  If the one e-mail contained 5 discharge summaries, then for me I'd conclude one breach affecting 5 patients.  I say this because when completing the OCR notification they ask: 1) is this a breach affecting less than 500 individuals or 500 or more; and 2) how many individuals are affecting by this breach.

    David Garrison
    Compliance/Privacy Officer

    SCCE Membership