Ask Erik: Is misaddressed email a HIPAA breach?

December 8th, 2017


At LuxSci we help customers manage their HIPPA-compliant email on a daily basis. One common question that we often hear is:

If I send an email message to the wrong person…. is that a breach of HIPPA?

The answer is “it depends“.

But to backtrack, it’s really easy to send email to the wrong person when you type in email addresses by hand. One typo in the email address can send that message off to the wrong person. That person gets your message, opens it up, and boom, they see whatever you wrote, be that very private information, or directions to Saturday’s party. But is that a HIPPA breach if they get somebody else’s PHI inadvertently sent to them?

Generally, yes. The answer is “yes” if they can read that message. There’s the rub. You can send email messages to anybody with encrypted data in them that they can’t open and that’s not a breach as long as the data is unopenable, undecipherable, encrypted, you’re fine. But many people send email messages that are easy to open once received.

For example, if you use TLS for transport encryption, that’s perfectly fine under HIPPA because it protects your messages as they’re being traveled from the source to the destination, but when the recipient gets it it’s unencrypted. If it’s the wrong recipient they have the unencrypted sensitive information and that’s a breach.   No, it doesn’t help if you have a legal disclaimer saying, “If you got this message and it’s not for you please disregard it.” Those kinds of disclaimers are essentially meaningless.

If you’re worried about the situation, and many people are, some people aren’t, depending upon how careful you are with your email sending, there are a number of things you can do. You can only send to email addresses that are in address books that you can pick in choose in a way that is less error prone. That helps. You can use technologies like S/MIME or PGP to make sure the bodies of messages are encrypted and only the true recipients can decrypt them. That helps a lot.

If you use a common method of encryption whereby the recipient receives a notice and comes to a secure portal to pick it up. That can be problematic because if you send to the wrong recipient and the way your portal works is that the recipient needs to register on first time to get a message than this inadvertently sent message to the wrong person, they’ll click on the link and they’ll register for their first time usage. They’ll breeze right in. They have the message. They have the PHI and you have a breach.

You can avoid this situation by using a system like LuxSci where you can control these messages and control the authentication by providing a question and answer or authentication code along with the messages. This way, even if the wrong person gets the message and they click on the links, they can not access the data unless they have the answer to your question or the authentication code or whatever it is you provided. You have insulated the message from inadvertent sending.

If you have any questions about these scenarios and how you use email contact LuxSci Support, we’ll be happy to help you out. Thanks for using LuxSci.

Have a question?  Ask Erik!