HIPAA Compliance and Emails: A View from the Trenches

August 28th, 2017

We have scoured the internet for real-life examples on the use of emails in medical scenarios, the better to be able to convince our readers of the points we have made in past posts about the perils and pitfalls of using unsecured emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and amongst doctors and their business associates can be fraught with issues that may violate the provisions of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA

“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.

An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, misguided policies on usage – all these play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.

HIPAA-compliant email

In a previous post, we provided some data on HIPAA-related complaints filed with the US Health and Human Services’ (HHS) Office of Civil Rights (OCR). There were 350 breaches of unprotected health information involving 500 or more individuals reported in the last two years to the HHS and under investigation by OCR. 75 of these had their origin in email, with half this number involved in unauthorized access or disclosure.

Medical providers often forget (or might even be unaware of) “reasonable safeguardsthat can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing some real life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards that can make email a useful and efficient part of your workflow while conforming to HIPAA.

How insecure emails “leak” PHI, and how to avoid it

In what ways can emails “leak” protected electronic Protected Health Information (ePHI)? Let us count the ways, by categorizing and analyzing use cases taken from actual practice in the field.

One-way emails

These are examples of messages sent from one party to another without any expectation of email responses on the subject.

  1. A doctor’s office sends an unencrypted email to a patient reminding her of a forthcoming appointment with a particular doctor on a certain date. (One variant to this includes adding an opt-out for receiving this type of email. Another includes piggy-backing information about any unpaid balances.)
  2. A medical practice’s answering service sends unencrypted email to the practice with information about calls from patients, including their name, contact phone number and reasons for the call.
  3. A doctor emails a “thank you” note to a person for referring a new patient, naming the latter.
  4. A dermatologist sends an image of a patient’s rash from his personal cell phone via email to his nurse, for inclusion in the patient’s file.
  5. A doctor’s office sends a birthday greeting email to a patient, gently reminding him of the need for an annual checkup.
  6. The only other employee in a single doctor medical practice uses her personal email to send appointment reminders, bills etc., to patients.

The potential privacy leakage in examples 1 and 5 may seem minimal to most outside observers. However, some patients are sensitive to the disclosure of any information related to them. The fact that a third party intercepting this message in transit might draw inferences based on information that someone is seeing a particular doctor or has an appointment at a specific clinic may be unacceptable to some.

Simple errors like these can be avoided by formally documenting that the patient has consented to receiving emails at a specific email address. To be perfectly safe, the consent should also list the sorts of topics (e.g., appointments, bills, etc.) about which emailing is acceptable.

Of course, the use of encrypted email would make such situations automatically HIPAA-compliant.

Example 2 involves an email exchange between a covered entity and its business associates. One assumes that the entities have a business associate agreement. There is no reason why such messages should not have been encrypted. In the event of a complaint, the parties would have to defend their decision, which may not be easy unless they can prove they took all reasonable precautions to protect ePHI.

In Example 3 , the doctor could have avoided even the hint of a privacy violation by writing the email without including the name of the patient.

In example 4, the doctor had better ensure that the image can be associated with the correct patient without incautiously revealing PHI in the message body. (One assumes the doctor got permission to photograph in the first place.) Using a personal phone and using email without transport level security may leave the doctor open to the charge of not adequately protecting ePHI. Misplacing or losing inadequately protected personal devices is also a concern.

In example 6, the doctor is completely dependent on the employee’s personal computer not being hacked, having up-to-date malware protection, etc. Even so, should the employee leave, so does the ePHI. In case of any complaints, the OCR auditor may well consider this a situation where the doctor should have done a risk assessment and taken appropriate precautions to protect PHI. If the solo practice does not wish to deal with IT, no matter how minimal, it may be safer to simply not use any email whatsoever and rely on phones, faxes and postal mail.

Email exchanges

These are a series of emails exchanged between two parties.

  1. A patient emails his doctor about some symptoms and asks for a quick opinion. The doctor responds with some suggestions. The emails are unencrypted.
  2. A mistyped username part of an email address of a commonplace, popular email service leads to an unencrypted email about a missed appointment sent to the wrong person.
  3. A medical practice emails a new patient asking him to fill out forms prior to a first visit, to expedite the process. The email is unencrypted.
  4. A medical practice and its billing company exchange emails about a patient using Name/SSN/DOB on the Subject line.

Example 7 reveals an interesting point: patients initiating an email exchange can reveal as much PHI as they wish – after all, it is their information and HIPAA regulations only cover the handling of PHI by covered entities and their partners. The doctor can continue the exchange, but an initial warning about the privacy risks (e.g., interception, forwarding etc.) of using unencrypted emails and a proposal to change to secure email would be appropriate. In any case, the doctor has the responsibility of protecting any ePHI once he begins taking part in the email exchange.

Always-on encrypted emails can often prevent misdirected emails, as in example 8, from being sent to the wrong party. The sender needs to have a valid certificate for the mistyped email address, or would be alerted to its absence before sending.

In example 9, it would have been wiser for the practice to get the patient’s consent to using email (at the first visit) before initiating email contact.

Example 10 (just like the previous example 2) involves an email exchanges between a covered entity and its business associates. Again, there is no reason why such messages should not have been sent encrypted. However, even with secure email, the use of identifying information (not necessarily health-related) in the unencrypted Subject line of the email could be a violation of other (i.e., not HIPAA), state-specific privacy laws on the use of identifiers.

Mass emails

These are broadcast (i.e., one-to-many) notifications.

  1. A researcher leading a clinical trial emails a notice of all participants about some changes without hiding the names of the recipients.
  2. A doctor emails all his patients with information about his wife’s new non-medical business.

Example 11 of a mass email may be OK if the sender can show that it obtained the consent of those addressed, but there may still be concerns about privacy violation from some patients if their participation in the clinical trial were made known to others. This is not an idle concern, as the potential audience is unlimited because emails can readily be forwarded. The use of secure email would prevent parties not directly addressed from accessing the content.

Example 12 might fall foul of a different HIPAA provision – one that has to do with the marketing of services without patient consent. For those interested in probing this area further, we provide a handy guide on checking your marketing messages for HIPAA compliance.

Shared mailboxes

The sender or receiver email address is accessible to multiple parties.

  1. A couple shares a common email address. One partner notices an email from a mental health clinic about an appointment that he was not aware his partner was visiting.
  2. A small medical practice shares a single email address for all communications visible to everyone in the office – the receptionist, the nurse, the doctor.

A particularly tricky case is where the email address is a shared one, such as example 13, where, under certain circumstances, a person may wish to consult a doctor without even family members being aware of it. Of course, while encrypted emails can remove the possibility of third parties reading such emails, it does not prevent the problem of exposure at shared addresses. An opt-out included in the message doesn’t help in such cases, either. The damage, if any, is done. In this case, the email selected for use during the opt-in-for-email process would likely have required the patient to make a conscious choice based on who else might have access to that mailbox.

Example 14 reveals a serious breach. One of the simplest rules for protecting PHI is that it must be shared on a need-to-know basis. A common email address for a medical provider (size is no excuse) fails this criterion. Even if patients have opted-in to the use of emails, the OCR would consider this a breach because those who do not need to know patients’ PHI has access to it. Furthermore, HIPAA requires unique access controls and access auditing which are generally not possible using a shared email address.

There are many variants of these examples, needless to say. It should also be noted that we are not able to cite any specific complaints to the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) arising from these types of situations because the details of most complaints are not readily visible.

The consequences of a complaint or breach

HIPAA covered entities are not monitored by the HHS for HIPAA compliance. Covered entities (including their employees and business associates) are expected to have understood the HIPAA regulations, conducted a risk assessment of all their procedures and put in place a documented set of policies and processes that show how they protect PHI and ePHI in the course of their work. They are also required to ensure that their employees are properly and periodically trained in aspects of HIPAA compliance.

HIPAA violations are expected to be self reported by covered entities and their business associates in a timely manner after a potential breach is detected, or can arise if a patient or another affected party files a complaint with the US HHS’s Office for Civil Rights (OCR). A breach might not be reported because the covered entity is either completely unaware of any leakage of ePHI or, if made aware, presumably comes to the conclusion after an internal assessment that there is a low probability that the information has been compromised.

Patients are not required to perform any assessment, and can go by their personal sense of whether their privacy might have been compromised.  No matter what the path, once reported, the OCR carries out an investigation, which can, depending on the severity of the complaint, lead to a compliance audit. Such audits can be comprehensive, and probe any and all aspects of the medical practice and need not be confined to just the initial cause. Depending on the results of the audit, the OCS may impose fines and penalties. If additional areas of non-compliance are discovered during the audit, the fines can accumulate.

The HITECH Act provides the specific fines for each type of HIPAA violation, which we show in the following (simplified) table.

Nature of HIPAA violation Range of fines per instance Maximum fine per year
Covered entity did not know or could not have known that the action was a HIPAA violation $100-$50,000 $1,500,000
HIPAA violation had a reasonable cause which was not willful neglect $1,000-$50,000 $1,500,000
HIPAA violation was due to willful neglect but corrected $10,000-$50,000 $1,500,000
HIPAA violation was due to willful neglect but not corrected $50,000 $1,500,000

Note that OCR penalties for HIPAA non-compliance get increasingly stiffer as the violation progresses up the scale from being unaware of the violation to willful neglect without taking mitigating steps. It behooves every medical practice, therefore, to take all steps possible to minimize risk. These include everything from proper employee education on protection of PHI, to yearly risk analyses leading to taking steps towards risk mitigation, and, as always, thoroughly documenting these steps. A HIPAA-compliant opt-out or always-on encryption email solution is an instance of how many of the examples described earlier could easily have been addressed after a risk analysis.

Mitigating steps

We hope we’ve shown how subtle ePHI exposure in emails can be, no matter how innocuous the use. A medical provider can never be sure if a patient’s privacy has been compromised – that depends entirely on the patient. Even if a patient cannot quite prove that a breach occurred or that information in an email could harm him, a complaint can lead the OCR to start an investigation. If audited, the provider’s best precautions are to either show documented proof that the patient voluntarily accepted the use of email OR the provider used an opt-out email security solution in interactions with the patient. Or, ideally, both.

Both are easy to do, and there should be little excuse to not take such a belts-and-suspenders approach to HIPAA compliance for email. The minor inconveniences and expenses associated with taking such steps will be far outweighed by the disruption and potential financial loss caused by any OCR audit arising from a patient’s complaint of a possible HIPAA violation.