Breaches of electronic Personal Health Information (ePHI) from email communications amongst HIPAA covered entities, their business associates, and health care consumers reveals a common pattern. Patient records are often emailed unencrypted (see here, here and here), or sent to unintended recipients (examples here and here). Poor email practices might also cause bulk emails (e.g., health newsletters, office closing notices etc.) to be sent without masking the names/emails of the recipients (see here). All of these can be breaches of HIPAA.
Email breaches continuously leak ePHI from healthcare
While not as prominently exposed by the media as hacking incidents, where large numbers of records can be compromised in a single attack, HIPAA violations owing to poor email practices proceed at steady rate. However, the consequences can be as just as problematic for the healthcare provider, despite the smaller number of exposed individuals. The insidious drip-drip-drip leakage of ePHI via improper email usage is often harder to handle and the sort of ePHI exposed can be subtle.
Read the rest of this post »