By Melanie Pita
For The Record
Vol. 28 No. 7 P. 24
Carelessly sending PHI via e-mail can carry serious consequences.
The handling and sharing of medical records is a critical and sensitive issue, one that affects millions of providers, patients, and payers every day. E-mailing patient records has become commonplace, but what's often overlooked is that failing to encrypt protected health information (PHI) is directly at odds with HIPAA requirements, subjecting the covered entity to substantial risk.
Although unlikely, there is an opportunity for PHI sent in the body of, or attached to, an unencrypted e-mail to be intercepted and used by parties other than the intended recipient. Exchanging records by e-mail can mean exposing patients' personal information and entire medical histories to a nefarious world of hackers seeking to exploit such data. Consequently, the possibility of such data breaches occurring can keep many a compliance officer awake at night.
Keais Records Retrieval, a third-party vendor, gathers patient records from health care providers with the patient's permission. The company works with insurance carriers/adjusters and law firms to gather medical, business, and other record types to help evaluate insurance claims and lawsuits.
Keais works with more than 95,000 medical record custodians nationwide each month to request patient records. Thousands of patient medical records, billing histories, diagnostic images, and other related information are mailed, faxed, or e-mailed to its office each day. E-mail is a popular option because it is widely available, easy to use, and has a "send it and forget it" appeal. Part of my responsibility as Keais' general counsel and chief compliance officer is to ensure that our employees undergo mandatory annual HIPAA training and are frequently reminded to never e-mail patient records or other correspondence containing PHI outside our encrypted environment. Keais' hard stance on security has rubbed off on employees, who often point out that the record custodians from whom we obtain PHI may be taking a risk by e-mailing such information.
In the past decade, the reliance on e-mail has grown significantly from both a business and personal perspective. It's more convenient than ever, with nearly 70% of American adults owning a smartphone, according to the Pew Research Center. E-mail has become such a normal part of our daily routine that we tend to forget it's not always secure. This is a particularly important concern when health care and HIPAA are introduced into the mix.
Protecting Patient Information
As the health care industry ploughs ahead with impressive plans for data exchange, cyber security remains a main topic of conversation. When it comes to patient privacy, there is no such thing as being too careful. Although disclosure of PHI is at times necessary, the information is often shared via unsecured methods that risk the patient's personal privacy. This is a notable problem when PHI is sent via e-mail between staff and associated vendors.
Medical records staff and physicians must think long and hard before hitting "send" any time they prepare an e-mail containing a patient's medical information. The problem lies in the data encryption, or lack thereof. Medical records transmitted via e-mail are generally unencrypted. This is the case not only in transit but also when the patient records sit on the e-mail provider's servers. Thus, sensitive medical information, Social Security numbers, and other data attractive to hackers lie vulnerable at all times.
Medical information is extremely valuable to hackers, who, according to The Ponemon Institute, increased their cyber attacks on US health care organizations by 20% between 2009 and 2013. This increase stems from weak institutional security coupled with the profitability of health records.
Unlike with credit cards, where fraudulent use can be detected quickly, it can take months or years before patients and providers discover the theft of medical information. On the black market, health information is 10 to 20 times more valuable than a credit card number—and that figure continues to rise. In fact, according to research from consultancy and tax firm EY, the black market value of a medical record went up from $50 in 2014 to $700 in 2015.
Insurance policy numbers, diagnosis codes, and billing details enjoy a long shelf life in the eyes of cyber thieves. Should such information fall into the wrong hands, there's no predicting the extent and impact of the consequences.
Under HIPAA, health care providers are responsible for ensuring the privacy and security of their patient records. According to Health and Human Services (HHS), HIPAA's security rule does not forbid the use of e-mail for sending electronic PHI (e-PHI). However, it does require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. E-mail must be encrypted to be compliant with HIPAA guidelines.
The Office for Civil Rights interprets the security rule to apply to e-mail communications.
According to HHS, "The Security Rule does not expressly prohibit the use of e-mail for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.
"The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected."
Right now, it appears the industry is waging a losing battle against cyber criminals. IT security firm Redspin reported that HIPAA data breaches climbed 138% between 2009 and 2012, resulting in a grand total of 29.3 million patient records being compromised. What's more, these numbers reflect only the breaches actually reported by HIPAA-covered entities.
Unencrypted e-mails residing on servers or hacked in transit can lead to medical record breaches that place hospitals and other provider organizations at risk for HIPAA fines of up to $50,000 for an initial offense. That's a small price to pay, however, compared with the bad publicity and loss of patient confidence and community goodwill such incidents tend to bring.
Install an Action Plan
It's highly recommended and well worth the time and effort to hold yearly HIPAA training sessions with staff. Key items about e-mail policies and procedures to discuss and reinforce throughout the year include the following:
• Prohibit the use of patient names in internal or external e-mails. Use an alternate method of patient identification, plus don't include identifying information such as patient birth dates or personal medical information in any e-mails. If, for some reason, the patient name is necessary, place it in the body of the e-mail (not the subject line) and make sure the e-mail is encrypted.
• Reduce the opportunity for PHI to get into the wrong hands by prohibiting the use of distribution lists when sharing PHI with multiple recipients. PHI is to be distributed only to those with a legitimate "need to know." Under this criterion, distribution lists for informational purposes do not qualify.
• If replying to an e-mail that contains PHI in the subject line or PHI other than the medical record number, account number, or date of service in the body, require that the PHI be deleted before a reply is sent.
• If necessary, place signage throughout the facility or send periodic e-mail reminders to staff. By putting the information out front, compliance is more likely. A reminder e-mail may include the following: "Please keep in mind that communications via e-mail are not secure. Although it is unlikely, there is a possibility that information you include in an e-mail can be intercepted and read by other parties besides the person to whom it is addressed."
• Suggest staff protect patient privacy as if it were their own. Advise staff that when composing or replying to e-mail, it's important to ask, "Is there a risk for the unintended disclosure of PHI?"
Tools to Help Protect PHI
When it comes to securing e-mail, health care organizations have several options at their disposal, including the following:
• Consider signing up for a secure, HIPAA-compliant e-mail application. If you must use e-mail to communicate PHI to third parties, a secure e-mail application will protect communications by using secure channels to send those e-mails.
• Use a HIPAA-compliant patient portal. The next time a third party requests patient records, ask whether the information can be sent via a HIPAA-compliant portal. There are several advantages to this method, including that it's as quick and easy to use as traditional e-mail; the recipient has immediate access to medical records; there are no postage fees, copies to make, or CDs to burn (reducing time and costs); and it's well suited to handle large-volume requests.
• Manually encrypt transmitted files. If both a patient portal and a secure, HIPAA-compliant e-mail application aren't an option, encryption and avoiding mention of PHI in the e-mail text are musts. While this option is both time consuming and vulnerable to human error, it's much better than doing nothing at all to protect patient files.
Even with encrypted e-mail as an option, the best solution is a HIPAA-certified portal, which offers the encryption necessary to ensure patient privacy while providing a streamlined and efficient means to exchange PHI. Plus, it's affordable.
An Industry Staple
It doesn't appear the use of e-mail in the health care industry will be abating anytime soon. It's a fantastic communication mode, but like any tool, it must be respected for its power and potential to disclose private, sensitive information. Granted, e-mail use in health care requires more effort and safeguards than in other professions, but encryption, secure applications, and patient portals make it possible to conveniently share patient data with the appropriate parties while minimizing risk.
— Melanie Pita is general counsel and chief compliance officer for Keais Records Service, where she also leads product development and strategy. Prior to joining Keais, she spent more than a decade working as a medical malpractice defense attorney.