be Smart.
be Secure.
Phone: 800-441-6612

How to breach your HIPAA-compliant email in 5 minutes while getting coffee

Who knew that a quick cup of coffee could lead to the report of a HIPAA beach to the Secretary of Health and Human Services … and a bad day, overall.

Here is what happened:

  1. A nurse was writing an email to another nurse, giving medical information about a patient.
  2. The message was all composed and ready to go, but the nurse didn’t hit send yet. She wanted to get a cup of coffee and think a little more about the content.
  3. She got coffee and chatted with her coworkers.
  4. When she sat back down at her laptop, she saw the email up there and just pressed “Send” without thinking.
  5. The message was sent … but it was sent insecurely because the nurse forgot to add the special trigger text to the message subject that would signal that encryption was needed.
  6. Because this message with ePHI went out insecurely (i.e. without encryption) to another medical professional, the delivery of that message breached the HIPAA requirements for the proper transport of ePHI.
  7. Because of this, the message could have been eavesdropped upon or viewed by unauthorized people.
  8. The HIPAA Compliance Officer saw this and decided that it should be reported.

This is a significant problem with most HIPAA-complaint email systems these days.  For simplicity, they put the burden of determining which messages need encryption on the sender.  If the sender does not actively trigger message encryption, then the message can go out insecurely.

It is so easy to make this mistake! Everyone is busy, distracted, and multitasking.  Any lapse in attention, like in the example above, will cause messages to be sent in violation of HIPAA requirements.  Even simply misunderstanding exactly what is considered ePHI can result in similar breaches.

Switching from Opt-In to Opt-Out Email Encryption

With this in mind, the solution is really quite simple. You have to change how email encryption is selected.  Instead of allowing senders to choose which messages need encryption … you force all messages to be encrypted unless the sender explicitly indicates that encryption is not needed.   With this simple change:

  1. As messages are sent encrypted by default, mistakes generally result in messages going encrypted instead of being sent insecurely.  There is no breach.
  2. When messages do go insecurely, the sender must have willfully indicted that the message does not contain ePHI. There is a much smaller chance of error here, and with these decisions being logged and tracked, users can be directly “on the hook” for what is sent insecurely.  They can’t blame a mistake nearly as legitimately as they can with “opt in” encryption.

So — when choosing your HIPAA-complaint email vendor, choose one that does opt-out encryption and stay away from the risks involved with opt-in encryption.

Want it “both ways” — see: The next generation of Opt-in email encryption.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries