Patient Privacy Issues with Unencrypted Email

August 28th, 2017

We have scoured the internet for real-life examples of emails in medical scenarios to convince our readers of our points in past posts about the perils and pitfalls of using unencrypted emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and between doctors and their business associates can be fraught with issues that may violate the Health Insurance Portability and Accountability Act (HIPAA) provisions.

The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA:

“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.

An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, and misguided policies on usage play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.

HIPAA-compliant email

Medical providers often forget (or might even be unaware of) “reasonable safeguardsthat can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing real-life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards to make email a valuable and efficient part of your workflow while conforming to HIPAA.

How unencrypted emails “leak” PHI, and how to avoid it

How can unencrypted emails “leak” electronic Protected Health Information (ePHI)? Let us count the ways to categorize and analyze use cases taken from actual practice in the field.

One-way emails

These are examples of messages sent from one party to another without expecting email responses from the subject.

  1. A doctor’s office sends an unencrypted email to a patient reminding her of an upcoming appointment with a particular doctor on a specific date. (One variant to this includes adding an opt-out for receiving this type of email. Another includes piggy-backing information about any unpaid balances.)
  2. A medical practice’s answering service sends an unencrypted email to the practice with information about calls from patients, including their names, contact phone numbers, and reasons for the call.
  3. A doctor emails a “thank you” note to a person for referring a new patient, naming the latter.
  4. A dermatologist sends an image of a patient’s rash from his personal cell phone via email to his nurse for inclusion in the patient’s file.
  5. A doctor’s office sends a birthday greeting email to a patient, gently reminding him of the need for an annual checkup.
  6. The only other employee in a single doctor medical practice uses her personal email to send appointment reminders, bills, etc., to patients.

The potential privacy leakage in examples 1 and 5 may seem minimal to most outside observers. However, some patients are sensitive to the disclosure of any information related to them. The fact that a third party intercepting this message in transit might draw inferences based on information that someone is seeing a particular doctor or has an appointment at a specific clinic may be unacceptable to some.

Simple errors can be avoided by formally documenting that the patient has consented to receive emails at a specific email address. To be perfectly safe, the consent should also list the sorts of topics (e.g., appointments, bills, etc.) about which emailing is acceptable.

Of course, using encrypted email would automatically make such situations HIPAA-compliant.

Example 2 involves an email exchange between a covered entity and its business associates. One assumes that the entities have a business associate agreement. There is no reason why such messages should not have been encrypted. In the event of a complaint, the parties would have to defend their decision, which may not be easy unless they can prove they took all reasonable precautions to protect ePHI.

In Example 3, the doctor could have avoided even the hint of a privacy violation by writing the email without including the patient’s name.

In example 4, the doctor had better ensure that the image can be associated with the correct patient without incautiously revealing PHI in the message body. (One assumes the doctor got permission to photograph in the first place.) Using a personal phone and using email without transport-level security may leave the doctor open to the charge of not adequately protecting ePHI. Misplacing or losing inadequately protected personal devices is also a concern.

In example 6, the doctor is entirely dependent on the employee’s personal computer not being hacked, having up-to-date malware protection, etc. Even so, if the employee leaves, so does the ePHI. In case of any complaints, the OCR auditor may well consider this a situation where the doctor should have done a risk assessment and taken appropriate precautions to protect PHI. If the solo practice does not wish to deal with IT, no matter how minimal, it may be safer not to use any email whatsoever and rely on phones, faxes, and postal mail.

Email exchanges

These are a series of emails exchanged between two parties.

  1. A patient emails his doctor about some symptoms and asks for a quick opinion. The doctor responds with some suggestions. The emails are unencrypted.
  2. A mistyped username part of an email address of a commonplace, popular email service leads to an unencrypted email about a missed appointment sent to the wrong person.
  3. A medical practice emails a new patient asking him to fill out forms before a first visit to expedite the process. The email is unencrypted.
  4. A medical practice and its billing company exchange emails about a patient using Name/SSN/DOB on the Subject line.

Example 7 reveals an interesting point: patients initiating an email exchange can reveal as much PHI as they wish. After all, it is their information, and HIPAA regulations only cover the handling of PHI by covered entities and their partners. The doctor can continue the exchange, but an initial warning about the privacy risks (e.g., interception, forwarding, etc.) of using unencrypted emails and a proposal to change to secure email would be appropriate. In any case, the doctor is responsible for protecting any ePHI once he begins taking part in the email exchange.

Always-on encrypted emails can often prevent misdirected emails, as in example 8, from being sent to the wrong party. The sender needs to have a valid certificate for the mistyped email address or would be alerted to its absence before sending.

In example 9, it would have been wiser for the practice to get the patient’s consent to use insecure email (at the first visit) before initiating email contact.

Example 10 (like the previous example 2) involves an email exchange between a covered entity and its business associates. Again, there is no reason why such messages should not have been sent encrypted. However, even with encrypted email, identifying information (not necessarily health-related) in the unencrypted subject line of the email could violate other (i.e., not HIPAA) state-specific privacy laws on the use of identifiers.

Mass emails

These are broadcast (i.e., one-to-many) notifications.

  1. A researcher leading a clinical trial emails a notice to all participants about some changes without hiding the recipients’ names.
  2. A doctor emails all his patients with information about his wife’s new non-medical business.

Example 11 of a mass email may be okay if the sender can show that it obtained the consent of those addressed. However, some patients may still have concerns about privacy violations if their participation in the clinical trial was made known to others. This is not an idle concern, as the potential audience is unlimited because emails can readily be forwarded. The use of secure email would prevent parties not directly addressed from accessing the content.

Example 12 might fall foul of a different HIPAA provision that has to do with the marketing of services without patient consent. For those interested in further probing this area, we provide a handy guide for checking your marketing messages for HIPAA compliance.

Shared mailboxes

The sender or receiver’s email address is accessible to multiple parties.

  1. A couple shares a common email address. One partner notices an email from a mental health clinic about an appointment that he was not aware his partner was visiting.
  2. A small medical practice shares a single email address for all communications visible to everyone in the office – the receptionist, the nurse, the doctor.

A particularly tricky case is where the email address is a shared one, such as example 13, where, under certain circumstances, a person may wish to consult a doctor without even family members being aware of it. Of course, while encrypted emails can remove the possibility of third parties reading such emails, it does not prevent the problem of exposure at shared inboxes. An opt-out included in the message doesn’t help in such cases, either. The damage, if any, is done. In this case, the email selected for use during the opt-in-for-email process would likely have required the patient to make a conscious choice based on who else might have access to that mailbox.

Example 14 reveals a serious breach. One of the most straightforward rules for protecting PHI is that it can only be shared on a need-to-know basis. A common email address for a medical provider (size is no excuse) fails this criterion. Even if patients have opted-in to the use of emails, the OCR would consider this a breach because those who do not need to know patients’ PHI have access to it. Furthermore, HIPAA requires unique access controls and access auditing, which are generally not possible using a shared email address. There are many variants of these examples.

The consequences of a complaint or breach

The HHS does not monitor HIPAA-covered entities for HIPAA compliance. Covered entities (including their employees and business associates) are expected to have understood the HIPAA regulations, conducted a risk assessment of all their procedures, and put in place a documented set of policies and processes that show how they protect PHI and ePHI in the course of their work. They are also required to ensure that their employees are properly and periodically trained in aspects of HIPAA compliance.

HIPAA violations are expected to be self-reported by covered entities and their business associates in a timely manner after a potential breach is detected or can arise if a patient or another affected party files a complaint with the US HHS’s Office for Civil Rights (OCR). A breach might not be reported because the covered entity is either completely unaware of any leakage of ePHI or, if made aware, presumably comes to the conclusion after an internal assessment that there is a low probability that the information has been compromised.

Patients are not required to perform any assessment and can go by their sense of whether their privacy might have been compromised. No matter what the path, once reported, the OCR carries out an investigation, which can lead to a compliance audit depending on the severity of the complaint. Such audits can be comprehensive and probe any aspects of the medical practice and need not be confined to just the initial cause. Depending on the audit results, OCR may impose fines and penalties. If additional areas of non-compliance are discovered during the audit, the fines can accumulate.

The HITECH Act provides the specific fines for each type of HIPAA violation, which we show in the following (simplified) table.

Nature of HIPAA violation Range of fines per instance Maximum fine per year
Covered entity did not know or could not have known that the action was a HIPAA violation $100-$50,000 $1,500,000
HIPAA violation had a reasonable cause which was not willful neglect $1,000-$50,000 $1,500,000
HIPAA violation was due to willful neglect but corrected $10,000-$50,000 $1,500,000
HIPAA violation was due to willful neglect but not corrected $50,000 $1,500,000

Note that OCR penalties for HIPAA non-compliance get increasingly stiffer as the violation progresses from being unaware of the violation to willful neglect without taking mitigating steps. Therefore, it behooves every medical practice to take all steps possible to minimize risk. These include everything from proper employee education on the protection of PHI to yearly risk analyses leading to taking steps towards risk mitigation and, as always, thoroughly documenting these steps. A HIPAA-compliant opt-out or always-on encryption email solution is how many of the examples described earlier could easily have been addressed after a risk analysis.

Mitigating steps

We hope we’ve shown how subtle ePHI exposure in emails can be, no matter how innocuous the use. A medical provider can never be sure if a patient’s privacy has been compromised – that depends entirely on the patient. Even if a patient cannot quite prove that a breach occurred or that information in an email could harm him, a complaint can lead the OCR to start an investigation. If audited, the provider’s best precautions are to either show documented proof that the patient voluntarily accepted the email OR the provider used an opt-out email security solution in interactions with the patient. Or, ideally, both.

Both are easy to do, and there should be little excuse not to take such a belts-and-suspenders approach to HIPAA compliance for email. The minor inconveniences and expenses associated with taking such steps will be far outweighed by the disruption and potential financial loss caused by any OCR audit arising from a patient’s complaint of a possible HIPAA violation.