Patrick...I'll take a crack at this...please let me know your feedback
An employee sends an unencrypted email that contains PHI to an outside agency. The specifics are, that your company and the agency have a BAA in place, the receiver of the email has a need to know to coordinate healthcare for the patient. Per the Security Rule, PHI needs to be protected (encrypted) in transmission,...is this a breach?I say yes given that it is an impermissible disclosure given that the transmission is not protected as is required by the regulations (or internal policy). Therefore, it is presumed to be a breach and one can either assess and take action depending on the conclusion or one can simply move forward with the required notifications (remember DoD + 60)an impermissible disclosure...Of the four impressibles, I would categorize this as an example of an impermissible disclosureor nothing but lack of judgement and concentration by the employee for not encrypting the email.No...if policy, training and education, and other efforts are aimed at people sending PHI accurately and in a secured manner, you also have a violation of internal policies and procedures...which also makes this an impermissible disclosure and takes you down the presumed breach road.BONUS...breach assessmentFactor 1: Yes/HighFactor 2: Yes/HighFactor 3: LowFactor 4: LowConclusion: This impermissible disclosure does not represent where there is more than a low probability of compromise of the security or privacy of the PHI....assessment conclusion...NO BREACH.Someone might ask how can I conclude Factor 4 to be low...good question...let's see what some people may have to offer along those lines.Thoughts?
I agree that Factor 4 is Low...because of the very low likelihood that anyone at the ISP (or any other section of the electronic transmission route), would intercept that particular e-mail.
However, if your ISP saves copies of all sent e-mails on the server, you'll want to go there and delete it so you don't have unencrypted ePHI sitting around the ISP. You'll also want to delete it from your sent mail folder on your local machine as well...even f you machine is encrypted, probably better not to have ePHI on it if it can be avoided (just a personal preference).
Scot Lovejoy RPh. CHC CHPC
Chief Pharmacy Officer
9 Campus Drive, Suite 200
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
No copyright infringement intended.
Here are the four factors...
Four factors must be considered, at minimum:
Phone: +1 952.933.4977Toll - Free: firstname.lastname@example.org
Join SCCEAbout UsTypes of Membership