August 22nd, 2017

Opt-out email security: A step towards better HIPAA Privacy Rule compliance

Breaches of electronic Personal Health Information (ePHI) from email communications amongst HIPAA covered entities, their business associates, and health care consumers reveals a common pattern. Patient records are often emailed unencrypted (see here, here and here), or sent to unintended recipients (examples here and here).  Poor email practices might also cause bulk emails (e.g., health newsletters, office closing notices etc.) to be sent without masking the names/emails of the recipients (see here). All of these can be breaches of HIPAA.

Email Breach

Email breaches continuously leak ePHI from healthcare

While not as prominently exposed by the media as hacking incidents, where large numbers of records can be compromised in a single attack, HIPAA violations owing to poor email practices proceed at steady rate. However, the consequences can be as just as problematic for the healthcare provider, despite the smaller number of exposed individuals. The insidious drip-drip-drip leakage of ePHI via improper email usage is often harder to handle and the sort of ePHI exposed can be subtle.

For instance, a bulk email about the new office hours of a cancer clinic sent without masking the names/emails of the recipients can reveal to every receiver the identity of others who are patients there. An appointment reminder sent with the email address mistyped can land in the wrong hands. Or, consider an encrypted email sent with the patient’s name and some other revealing information (e.g., “Jane Doe’s brain MRI”) in the unencrypted Subject line. Even a birthday greeting emailed from a thoughtful provider to a patient can, if intercepted, lead to protected personal health information being inferred.

Even if potential harm caused by a specific breach is small, the consequences for the covered entity or its business associate is quite onerous if even a single complaint is filed with the US Health and Human Services’ (HHS) Office of Civil Rights (OCR). There were 350 breaches of unprotected health information involving 500 or more individuals reported in the last two years to the HHS. 75 of these had their origin in email, with half this number involved in unauthorized access or disclosure.   Many, many more smaller breaches occurred and many of those went unreported.

Breach to audit: The HIPAA Privacy Rule must be obeyed

Complaints can lead to extensive audits of a provider’s HIPAA-compliance program, and, depending on the severity of the issues discovered, lead to substantial penalties and fines[1]. It all depends on how the auditor interprets your attempts to “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information”, as required by the HIPAA Privacy Rule. Ensuring, monitoring and recording HIPAA HITECH/Omnibus compliance, promptly reporting breaches to the OCR[2] and notifying patients of breaches of information affecting them takes time, effort and money. However, the alternative of doing nothing or doing something haphazard or piece-meal can disrupt work and seriously affect the bottom line of a small medical practice found non-compliant. (We provided guidance on HIPAA-HITECH compliance for small medical practices in a recent post.)

To trust or not to trust

How much trust should be placed in healthcare workers to always do the right thing?

Consider also the following data:

  • Verizon’s latest data breach report reveals additional information on breaches in the healthcare industry. Of the varied industries surveyed, it found healthcare to be the one most susceptible to “insider misuse”, with employees the principal perpetrators of data breaches. The primary motivation appears to be financial gain (through identity theft), followed by plain curiosity. The major factor allowing such breaches is “privilege misuse”, where data access is not properly secured.
  • Confirming this finding, the 2017 half year data collected and analyzed by and Protenus shows that 41%[3] of the health data breaches were by insiders – either owing to error or wrongdoing – far surpassing those from external hackers.

The Verizon and Protenus findings should be a serious wakeup call for the healthcare industry and all healthcare providers with respect to HIPAA-HITECH and Omnibus regulations.  Healthcare workers involved in technology make more mistakes and bad decisions resulting in data breaches than workers in other fields.  Technology and HIPAA regulations are not their highest priorities, perhaps saving lives is.   Earlier, we pointed out that even a single breach disclosure often means having to convince the OCR investigator that “all reasonable and appropriate” steps were taken to safeguard ePHI. Insider-related breaches are insidious, and their often small scale makes them hard to detect. In view of the above data, providers will likely be pressed to show the steps they have taken to trust-but-verify their employees’ actions, or to make it hard for incorrect actions to be taken.

Opt in vs Opt out email security

In other words, without creating onerous and unnatural barriers to information access and flow that is at the heart of the HITECH program, are healthcare employers taking “reasonable and appropriate” steps to ensure that only those employees and individuals with a need-to-know have access to relevant portions of a patient’s ePHI? Are the IT tools that they provide their employees set up to err on the side of caution (e.g., laptops with full data encryption, role based access control to patient data, etc.) so that the damage from theft or inappropriate behavior can be effectively lessened? In this situation, the choice of opt-in versus opt-out security for secure email sent by a provider has particularly relevance.

Most cases of email-related ePHI breaches are not the work of rogue employees. More often than not, these are inadvertent errors – caused by carelessness under pressure, distraction, or remembering to “turn on” secure email for specific instances. As we pointed out in our earlier post, allowing your employees to decide whether to turn on encryption for each instance of email communications (i.e., opt-in on a case-by-case basis) lays quite a burden on them and leaves employers liable for their mistakes.

Deciding what ePHI is and what it isn’t is not always clear-cut; trying to distinguish between these in the course of a busy office day is just another hurdle that can lower employee productivity. Even with appropriate knowledge, mistakes can and do happen. The probability for an inadvertent breach of ePHI rises with the number of employees and the volume of emails. Recall that a single ePHI breach is reportable and a single complaint can lead to disruptive audits and potentially penalties and fines.

Always-on email security is a low hanging fruit by which such simple causes of ePHI data breaches can be easily patched. All outgoing messages are encrypted. Your employees do not have to take any extra steps to check if their emails contain possible ePHI. Thus, at least this door leading to HIPAA non-compliance is closed.

Opt-out email security is a variant of always-on email security. The sender, on a case-by-case basis, can decide to remove security. However, this is a decision that is taken consciously by the sender. In such cases, presumably such a sender is either HIPAA-conversant and can “prove” the absence of any ePHI in an unencrypted message if complaints arise, or is a deliberate violator who can be appropriately dealt with.

Opt Out Email Encryption is Much Less Risky

We at LuxSci have often pointed out the dangers of an opt-in email security policy with respect to HIPAA compliance. LuxSci offers several HIPAA-compliant alternatives in its SecureLine email encryption solution:

  • One version always encrypts by default, but also supports enabling opt-out of encryption on individual messages.
  • For those who insist on some form of opt-in, LuxSci offers an enhancement to the traditional opt-in security. Our solution can be configured to always provide at least message transfer security protecting messages in transit, while allowing users to opt-in to a higher level of protection of individual messages while at rest and adding better recipient authentication and auditing — thus avoiding the automatic HIPAA ePHI breach that a classical opt-in encryption solution facilitates.

With so much potential for disruption and loss owing to HIPPA HITECH/Omnibus non-conformance, LuxSci believes that an opt-out email security option is a healthcare provider’s safest choice. Given the many things that need to be monitored and maintained in a provider’s IT infrastructure, such simple changes can reduce human error and willful misuse from at least one source of security breaches.  It leaves you time, attention and money to focus on hardening your systems and procedures against more serious threats.



[1] The HIPAA Omnibus Rule sets the maximum penalty for a single violation at $50,000 and enforcement is planned to be strict and pervasive.

[2] The Omnibus Rule also requires reporting every single breach, except for very special circumstances.

[3] The corresponding full year number for 2016 was 43%. So, if anything, this trend is steady or growing.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.