be Smart.
be Secure.
Phone: 800-441-6612

7 Ways You Could be Unknowingly Violating HIPAA

Non-compliance with HIPAA can easily lead to unintended breaches where data is exposed to unauthorized parties.  This can be very expensive!  The cost of a breach depends on your degree of negligence; it ranges from $100 to $50,000 per violation (or per data record).

You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in unintended breaches.  Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.

Check your organization!

If any of the following scenarios apply to you, it is worth bringing them up the person responsible for compliance (your HIPAA Security Officer) to include in your mandatory yearly Risk Analysis.  Is the risk of breach worth continuing with “business as usual?”

1. “Opt In” Email Encryption

Hopefully, by now most people know that Electronic Protected Health Information (ePHI) and email don’t mix unless you have a HIPAA-compliant email provider who has signed a Business Associate Agreement with your organization. However, in our experience, most HIPAA-compliant email security is Opt In.  With Opt In email, messages are sent insecurely unless the sender, explicitly designates that one needs encryption (e.g. checking a box or entering a word such as “secure” in the message subject).

These Opt In systems are popular because (a) messages are HIPAA-compliant when encryption is chosen, and (b) when not sending ePHI, it is “email as usual.”   People are not required to change or think about it … they just use email as they always have.

This is the fatal flaw with Opt In systems.  If the sender simply “forgets” (or doesn’t think, or maybe can’t be bothered) to enable encryption, then the ePHI-laden message is sent insecurely in breach of HIPAA.  This happens all the time with Opt In systems.

When it is up to a person to choose for every message whether encryption is needed, it is guaranteed that sometimes the wrong choice will be made or the person will forget to choose — ePHI will go out insecurely in breach of HIPAA.  It’s human nature.

Even data loss prevention systems, which automatically encrypt when a message has specific words, phrases, or patterns,  are imperfect and cannot be relied on to catch all messages with ePHI.

The risk of using Opt In encryption is simply too great.  It is much better to either encrypt everything that is sent from an email address that sends or receives ePHI (e.g. have one email addresses for sensitive material and another separate one for regular correspondence) or to employ an Opt Out mechanism.  With Opt Out, all messages go securely unless the sender explicitly indicates that the message does not contain ePHI.

When it is up to the sender to explicitly choose if a message is allowed to be insecure, it is very much harder to send ePHI insecurely “by accident.”  The senders are automatically accountable for the security, or lack thereof, of messages sent.

Opt Out encryption prevents breaches through inaction and creates accountability on the part of the sender.

See also: Opt In Email Encryption is too Risky for HIPAA Compliance.

2. Sending Text Messages

Medical professionals (e.g. doctors, nurses, psychologists, therapists, dentists, etc.) frequently text each other and even text patients (e.g. for scheduling appointments).  Texting is easy and patients like to communicate via text.  However, many of these text messages (even scheduling ones) contain ePHI. Sending them using your regular phone texting system is in violation of HIPAA.  This has to stop.

It would seem that many people do not yet realize that texting falls under the same HIPAA security rules as does email and that sending regular texts can not be compliant (For details, see: Can text messaging be HIPAA-compliant?).  Continuing to send ePHI over text constitutes willful neglect of HIPAA and can result in the largest of fines.

Instead, if you want to use a text-like real-time communication system, you need to use a HIPAA-compliant SecureChat application for your mobile devices.  This must provide, among other things, strong encryption, audit trails, archival, and a Business Associate Agreement.

3. Email and Text Appointment Notifications

If your office sends email or text messages that indicate a patient has an doctor’s appointment, this is almost always ePHI.  Appointment confirmations are ePHI because they indicate that a particular person (i.e. this is “identifiable” via the patient’s email address, name, or phone number) has an appointment with a specific health care provider (i.e. gives information about the “future provisioning of health care”).

This information must be sent securely … and too many times it is not.  See: HIPAA Compliance is needed for Emailed Appointment Reminders.

If your organization sends electronic appointment reminders, please find a way to deliver these notifications securely to your patients.  For example, delivery can be via a tie-in to a HIPAA-compliant email or text messaging system.

4. Insecure Web Intake Forms

Every day we find medical web sites that have web forms for “getting more information” for general intake and for other purposes.  These form pages are not often encrypted and the form submissions themselves are not processed in a compliant manner. They are often insecurely emailed to an administrative assistant for processing.

If your web site is requesting and collecting ePHI (e.g. identifiable medical information about an individual), then your web site is required to handle that information with care commensurate with HIPAA standards.

Check out your web site and see what forms you have there, what they collect, and how the information is handled.  You may need to update your site to secure your form pages with TLS and to incorporate a secure form processing solution to properly deliver that sensitive data to you.  Without this, every form submission may be in breach.

5. Sharing a Login

Sharing logins and email addresses is easy and cheap. Everyone just knows the shared login and password and logs into the same system.  HIPAA, however, requires unique logins for everyone in an organization. HIPAA also requires auditing to indicate when people do what (e.g. who logged in when?).  When you are sharing a login, you lose accountability and that can be a direct violation of your HIPAA requirements.

Are you sharing logins?  Add that to your HIPAA Risk Assessment to see if its worth it.  In many cases, there are ways to achieve the same results and still have unique logins for everyone.

6. No Risk Assessments or Training?

This is the situation in many smaller organizations:

  1. Employees are not trained on HIPAA, how to do their jobs in a compliant way, and how to deal with and report breaches.
  2. Yearly Risk Assessments are not performed, resulting in no action being taken to mitigate the risk of breach.

These requirements apply even if you are the only person in your business (e.g. a sole practitioner).  In this case, you are the the “HIPAA Compliance Officer”, you must be sure that you are trained on HIPAA, and you must perform your Risk Analysis, and you must be sure that all ePHI under your purview is safe.

If you are neglecting these basics and something goes wrong, your HIPAA fines will be much larger due to apparent “willful neglect”.  If you are in this situation, start with a detailed Risk Assessment to see where you stand.  Then start mitigating your risks, training your employees, putting policies into place, and working continuously to minimize the possibility of data leakage.  HIPAA-compliance is an ongoing process as the security landscape and your business’ processes and vendors change over time.

7. I Took Care of HIPAA Last Year

Smaller companies, especially, tend to make a push to become “HIPAA compliant” and then “forget it,” assuming that they are “all set.”  They have limited resources and would rather devote as little time and thought to HIPAA as possible; that is completely understandable from a business point of view. However, HIPAA mandates yearly reviews of your policies and risk.  You need to be updating your and your employees training and your organization’s policies yearly. There are even some things that you may need to be doing on a quarterly basis.  Keep a calendar and make sure that you are devoting the appropriate time and resources to both continued compliance and continued risk management.

See: HIPAA Compliance Checklist: What You Need To Do.

Do I have To?

While this may seem very intimidating, especially if you have limited resources, getting started and addressing your HIPAA requirements and the concerns presented here will pay off in the long run.  Low hanging fruit is easily and cheaply dealt with.  Simply knowing where you are at risk, in many cases, goes a long way towards enabling you to mitigate that risk through changes in behavior, vendor, or policy.  The fact that you are working on it, know where you stand, and are taking steps to improve (however fast or slowly based on the resources at hand and the degree of risk) can also goes a long way toward turning breaches due to “willful negligence”  … to much less expensive fines if something goes wrong.

Finally, there are many companies whose focus is on helping you meet your HIPAA compliance requirements.  From performing a Risk Analysis, to writing internal policy documents, to outsourcing your email, web, and text messaging services.  Getting help from third party expert companies reduces your liability, reduces your workload, reduces the burden of knowledge and expertise on you, and ensures that your needs are taken care of by specialists.

LuxSci specializes in HIPAA-compliant email, web site, web form, and secure messaging systems.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries