In this age of free and convenient exchange of information it is easy to become complacent and simply hit the “send” button and move on with your day. However, it is important that you are extremely aware of the information included in your message and make sure that it is properly secured from prying eyes. Because learning how to exchange HIPAA compliant email could protect you from violations and fines.
This is especially important when the message includes Patient Health Information (PHI). PHI includes any information that could potentially link the identity of an individual with the specific health information contained within the message. HIPAA requires that email containing PHI be encrypted in transit between parties. This ensures that any third party that might intercept the message is not able to decipher the message without the proper credentials. Violations of this rule can result in fines as high as $250,000 per violation.
However, email encryption is considered inconvenient and cumbersome by many medical practices and patients alike. And many healthcare workers (and others handling PHI) fall into the complacency trap. In December of 2014 Sony Pictures (yes, it’s not only medical practices that are governed by HIPAA) admitted that 30,000 HR emails containing PHI had been compromised as part of the overall system hack. This included juicy tidbits regarding some celebrities. In May of 2010 an email from US Health containing over 1000 patient names and addresses was sent inadvertently to an unauthorized party. No fines were levied but the costs could have been significant.
So what can be done to prevent such breaches? Here are a few examples of some strategies that can be employed:
Install an email gateway appliance or service. PHI and other personally identifiable information (PII) often fits into easily identified patterns. For example, Social Security numbers and phone numbers fit in the patterns xxx-xx-xxxx and xxx-xxx-xxxx respectively. Likewise, medical practice account numbers and medical codes follow specific patterns. A medical dictionary can identify the mention of conditions and drugs within a message.
An email gateway can inspect outgoing messages and look for the combination of PII and medical information in the same message. In such cases the message can be automatically encrypted or simply blocked. In the event the email is encrypted, the receiver gets a message that an encrypted email has been sent to them and they must go to a web based portal to retrieve the message. For medical practices exchanging PHI between other covered entities on a regular basis, gateway appliances can be installed at both sites so the messages can be encrypted and decrypted automatically without any interaction with the sender or receiver.
Install an email client Plug-in to allow encryption. The most common email client, Outlook, supports several email plug-ins from various vendors that allow the sender to select encryption when sending the message. Again the recipient must have a corresponding plug-in to automatically decrypt the message otherwise they will be directed to web based portal to retrieve the message. With this approach the sender must know that they are transmitting PHI and consciously decide to encrypt the message prior to sending
Use an EHR portal to exchange all PHI. Many Electronic Health Record systems include a secure portal where patients and covered entities can retrieve PHI. In this case the recipient simply receives a message that the PHI is in the portal and can be retrieved using their secure credentials. The information never actually traverses the public network.
Use a HIPAA compliant email system. Several vendors such as Virtru and state health exchanges have developed email systems that are HIPAA compliant by default. Using this type of system the sender can have complete control over the message including expiring the message and revocation. However, these systems may not include many of the productivity features available in more common off the shelf email systems. Other solutions can address mobile device issues including lost or stolen devices. Zixcorp has created a mobile email client that allows users to send and receive emails on their mobile device without ever storing the messages on the device itself. Therefore if the device is lost or stolen, no PHI is left behind
Employ a third party encryption solution. For years a Public key/Private key encryption technology know as Pretty Good Privacy or PGP has existed for just such a situation. With this solution, the sender maintains a private key that only they have access to. Prior to sending the message they encrypt it using this private key. Think of the private key as more of a lock. The sender also has a public key that can be shared with anyone the sender trusts. Using the public key the recipient can decrypt (“unlock”) the message. Anyone intercepting the message in transit cannot read the message unless they also had the senders public key. While this is a tried and true methodology, it requires relatively savvy users and significant user interaction.
Employee Education. Of course, non-of this absolves individuals who are custodian to PHI to be fully educated on their responsibilities and the consequences of non-compliance. Human error can find its way around any system put in place. With the proliferation of personal email systems and social media, the uneducated employee can easily bypass systems put in place and inadvertently transmit PHI unsecurely. Therefore the first and final defense is comprehensive and continual user education regarding HIPAA regulations and how they can prevent a breach.
By now, we all realize that, with the amount of threats that exist, there is no 100% solution. However, if ever faced with a breach, those institutions that have taken a proactive approach to HIPAA compliance will always fair better than those that have not. Make sure that you have evaluated the options to maintain compliance and document your actions and the reasons for your decisions. This will go a long way in the eyes of an auditor.