The U.S. Department of Health and Human Services (HHS) reports that since 2009 over 100 major healthcare organizations suffered a data breach where personal health information (PHI) was stolen because emails were not adequately secured or encrypted. When PHI is stored as electronic files it is called ePHI. These data breaches of ePHI are violations under the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996. HIPAA violations are very serious. They may result in fines in the millions of dollars.
Compliance with HIPAA regulations is not just a concern for large healthcare organizations. Even the smallest of dental offices and medical clinics need to be concerned with how they handle ePHI and the steps they need to take to protect themselves and their patients’ sensitive health data.
Penalties for HIPAA Violations
The fines for HIPAA violations vary depending on the severity of the breach and the negligence of the party required to protect the PHI. The range of fines is $100 to $50,000 per incident for each PHI record. The maximum penalty is $1.5 million for each year that the violation occurs.
What is the Highest Fine for the Worst HIPAA Violation?
Anthem holds the dubious distinction of paying the largest fine of $16 million for data breaches that allowed cyber-hackers to steal the ePHI of 79 million people. On top of the fine, Anthem also agreed to pay a $115 million settlement for the damages caused to individuals by the breach.
Shelling out $131 million for these problems was not a happy day at Anthem. No organization wants to be on this list of the highest HIPAA fines for electronic data breaches. It pays to protect ePHI especially when the ePHI is accessed by online form requests or transmitted via emails.
Requirements to Protect ePHI Sent Via Email
Organizations, including dental and general medical offices, are permitted to send ePHi via emails only if it is secured and encrypted. Encryption is a technique that changes typical readable text into mathematical codes. This code cannot be read except by the software that has the correct encryption protocols to unencrypt the transmission of the emails when received.
Encryption only happens when the proper software technology is in place for the entire transmission path of emails or the information collected by a web form, such as a contact form or patient registration web form. The basic transmission path for emails is that the user creates emails on their computer then they go to the user’s emails server and then it is transmitted across the Internet to the recipient’s email server and then to the recipient computer.
Under HIPAA rules, emails containing ePHI must be encrypted when it is stored anywhere as well as during all portions of the transmission over the Internet. Free emails offered by services such as Gmail, Outlook, Yahoo Mail, and others, transmit email without using encryption. It is a HIPAA violation to use such email services to send ePHI.
Warning About Third-Party Emailing Services
Emails managed by service providers may offer encrypted emails and provide an agreement to encrypt emails. However, the responsibility for any violations and paying the HIPAA fines remains with the healthcare provider that is the source of the ePHI.
The liability to protect ePHI, under HIPAA rules, cannot be contracted away to a third-party. Additionally, no disclaimer can remove the responsibility to send emails containing ePHI in a secure way. The healthcare organization, which is the source of the ePHI, is responsible if the third-party fails to protect the ePHI. Third-party vendor problems have been the source of many HIPAA violations. Third-party vendors, with access to ePHI data, must remain HIPAA compliant. It is wise to conduct a regular network security audit and to make sure that they are compliant.
Encryption for Websites
The encryption used for most websites is a secure sockets layer (SSL). This is used by websites for secure transactions. It is transport layer security that encodes the information, which is sent back and forth from an interaction with a web user.
SSL is a protocol that ensures that the data passed between a web server and a web browser is kept private. To use this protocol, website owners need to purchase an SSL certificate annually. When a website uses SSL, a tiny lock icon shows on the web browser when the site is accessed. Most browsers will warn a web user if they are attempting to connect to a website that is not secure. This happens because either the website is not using the SSL protocol or its SSL security certificate expired.
All websites maintained by any healthcare organization of any size should use SSL as standard security. This encryption will protect the information collected by any web forms such as from a contact form that is filled out online that is transmitted to the webserver. Failure to use SSL, and keeping the SSL certificate current, is a HIPAA violation if someone uses an insecure web form to send unencrypted ePHI information.
Patient’s Right to Violate HIPAA Rules for Emails
If a healthcare organization follows all the HIPAA regulations regarding securing and encrypting emails, then a patient has the right to opt-out of the secure-emails system. A patient may request that emails be sent unencrypted to an unsecured account if they choose to do so.
The healthcare provider must do the following before sending any unencrypted emails containing ePHI to an unsecured account:
- Offer the patient the use of the secure-emails system.
- Inform the patient that the use of unencrypted emails is not secure.
- If the patient still agrees to waive their right to protection for the ePHI, the emails can be sent unencrypted. In this case, the healthcare organization is not responsible at all for anything that happens to the information.
Data Storage Requirements
ePHI must always be encrypted when stored anywhere. If an unencrypted copy of the file is kept on any computer or laptop and it is stolen, this creates yet another major HIPAA violation.
Best Practices for HIPAA-Compliant Email Systems
In addition to always making sure that emails are encrypted when stored, or in transmission, it is important to use robust password security for email accounts. This helps prevent any unauthorized individuals from accessing the ePHI.
Make sure the password of each authorized user is at least eight characters long, are not words found in any dictionary, use both lower and uppercase letters, and contain at least one symbol. Set up the system to require passwords to be changed every 90 days.
Here are some common emails that may cause a problem:
- Eliminate Unsecured Remote Access: Inter-office emails and ePHI that normally stay readable within a secure system are put at risk when the system is used by remote access.
- Open Communications Between Healthcare Providers: Any emails sent by one doctor to another one must be encrypted. It is not safe to assume the party receiving the emails has proper encryption in place. It is better to have the recipient sign on to a secure-emails system to retrieve them.
- Prohibit the Use of Personal Emails: One of the most common violations happens when a healthcare provider sends ePHI to his or her personal account or the reverse, exposing the information by removing the encryption. Do not allow any use of personal emails for ePHI under any circumstances.
- Mass Emails: Do not use mass emailing for any ePHI, instead use a HIPAA compliant service to send out a large number of personalized emails.
- Reply Emails: The recipient of any emails is not responsible for how the sender sent the emails. For any emails received as a reply contains ePHI, inform the sender of the risks of using unencrypted emails for ePHI.
- Emails from Patients: If unencrypted emails come from a patient, such as through one of the free services, inform the patient of the risk of using unencrypted emails. Offer them the use of the secure-emails system. Also, have an alternative way to provide ePHI to patients rather than using emails.
Emails are convenient; however, when they contain ePHI sent by a healthcare provider they must be encrypted. Many healthcare organizations are using web portal systems that provide more security instead of regular emails. All of the ePHI data is stored on a protected and encrypted server. Then, the emails sent are only a notification that there is a message on the secure system waiting for them. This is safer than relying on emails to transmit ePHI.