Privacy Officer's Roundtable

PHI sent through unencrypted e-mail?

  • 1.  PHI sent through unencrypted e-mail?

    Posted 03-04-2020 01:10 PM
    If an e-mail is sent out with general colonoscopy instructions to a patient unencrypted would you consider this a breach? The e-mail never addresses a patient by name , it simply has colonoscopy instructions attached. I realize an e-mail address can be considered PHI if linked with health information and this would infer the owner of that e-mail is a patient and preparing for a colonoscopy. I am of the opinion that the colonoscopy instructions should be sent encrypted, but a lot of patients complain about having to log into the secure portal just for instructions. I also know they can request the information be sent unencrypted if they are made aware of the risks but that is not really my question. Can instructions be sent by e-mail unencrypted or should I stick with my initial recommendation that they must be encrypted?

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 02:17 PM
    Hi Savannah,

    If the instructions themselves do not have any PHI on it (such as p refilled out with the patient's information or wth a patient label on it), my opinion is you can send them unencrypted.  I would recommend staff do their due diligence and confirm the email address with the patient before they are sent to ensure they are sending them to the correct place.  As you said, the patient should be advised of the risk as well.

    -Sam

    ------------------------------
    Samantha Molleda
    Director of Compliance
    Westchester Medical Center Health Network
    West Milford,NJ
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 02:36 PM
    I guess I am worried the instructions imply the receiver is a patient and is having a procedure. Also have had questions about e-mailing return to work or school notes unencrypted. If you do state the risks before you send are you noting verbal agreement or having them sign something? Not sure if it is overkill to have them sign something stating risks for a school note or procedure directions?

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 02:54 PM
    My wife and I share the same email address. So that by itself is not necessarily a slam dunk as to who it applies to. Actually, now that I think about it, we use our joint email address for my mother-in-law who also lives with us. It could be for all three. Some homes may use the parent's email address for their minor children.

    The email gets you in the ball park, but it's not a home run. But I could see how some may think it risky. To help matters though, the majority of email systems nowadays have point-to-point encryption built in without having to do overt encryption through some software system you have. You just can't count on it happening.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 02:59 PM
    Personally, I would lean toward encrypting the e-mails unless the patient specifically authorizes you not to.

    When we send records unencrypted, (or actually via any method) we do request a signature on a form documenting what the patient is requesting, when they requested it, where they want it sent, etc.  That said, many patients prefer not to complete the form and/or their request is coming in over the phone, in which case we have staff document the request using the same form and staff documents that the patient provided the information, but did not sign the form.

    ------------------------------
    Emily Roberts
    Compliance/Privacy Manager
    Morrow County Health District
    Hermiston,OR

    The opinions expressed are my own and are not intended to represent the positions, strategies or opinions of my employer.
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 03:14 PM
      |   view attached
    I understand you reasoning, however, remember that you can and should do a risk analysis in the event of a potential breach.  Just going by what you've said, I would say that the simple patient instructions for a procedure is not detailed or sensitive information and the likelihood of harm is low.  I have included the a blank risk analysis form you can use for the future.

    ------------------------------
    Samantha Molleda
    Director of Compliance
    Westchester Medical Center Health Network
    West Milford,NJ
    ------------------------------

    Attachment(s)

    2020 SCCE Membership


  • 7.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 03:22 PM
    Edited by Carl Russell 03-04-2020 03:39 PM
    Thanks Samantha. It's always good to see what others are using in case there is something worth embracing.

    ------------------------------
    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------

    2020 SCCE Membership


  • 8.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 03:30 PM
    I do agree the risk is low so I am not concerned with it being a reportable breach. I really just want to know if others send this type of information unencrypted and is that ok? We do have an encryption system but the employees are manually overriding this such as in this case.

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 9.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 04:01 PM
    We do not e-mail any PHI to a patient unless we have their consent and whether they consent to encrypted or unencrypted.

    In regards to your original question, and to C&C:  Encryption is an addressable security standard.  So, you either encrypt or have an equivalent process.  I'll assume you have a policy that says any PHI that is e-mailed has to be encrypted unless the patient consents to unencrypted.  So in this case you have a policy violation of a security standard and to me an impermissible disclosure.  Now, whether it's a breach or not depends on the LoProCo.  In this case, I'd say no breach.  E-mailing PHI unencrypted is not an automatic breach, at least to me, unless your policy says it is.

    Now, onto another question/issue:  is what you e-mailed PHI?

    ------------------------------
    David Garrison
    Compliance/Privacy Officer
    SEARHC
    Juneau,AK
    ------------------------------

    2020 SCCE Membership


  • 10.  RE: PHI sent through unencrypted e-mail?

    Posted 03-05-2020 12:39 PM
    Also, almost all emails are encrypted automatically through Transport Layer Security (TLS), which is a way to encrypt your email traffic from server to server. TLS (gmail, hotmail, etc) so the risk really is low that it is actually unencrypted (at least in transmission).

    ------------------------------
    Aurae Beidler
    Compliance/ Privacy Officer
    Linn County Health Services
    ------------------------------

    2020 SCCE Membership


  • 11.  RE: PHI sent through unencrypted e-mail?

    Posted 03-04-2020 05:39 PM
    Samantha,
    I like the process used in your attached risk assessment. I have a couple of notes, from a compare and contrast standpoint. Although your risk assessment does not mention risk of "harm," i would avoid using the term in any discussion on Low Probability of Compromise assessments, just because that harm standard was done away with some years ago. Also, I have my exception criteria at the start of the assessment, just because it would be the natural order of the assessment process.\

    Thanks for posting and attaching your process.

    Best regards

    ------------------------------
    David Rothery, CHC, AWI-CH
    Compliance & Privacy Officer
    Marin County, CA


    These are my personal opinions and not those of the County of Marin
    ------------------------------

    2020 SCCE Membership


  • 12.  RE: PHI sent through unencrypted e-mail?

    Posted 04-16-2020 07:50 PM
    This is great discussion.  Wouldn't the email address be considered one of the patient identifiers under HIPAA since it is linked to services provided by the Covered Entity? ​

    ------------------------------
    Bridget Johnson
    Privacy Director
    Baptist Health
    Jacksonville,FL
    ------------------------------

    2020 SCCE Membership