Almost every week, one of our support techs enters an item into our HIPAA breach log recording the receipt of Protected Health Information (PHI) in an unencrypted email. Usually, it is one patient’s name and identifying information in a screen snapshot. The tech informs the customer of the dangers of sending PHI in an unencrypted manner, tells them to inform their Privacy/Security Officer of the breach, and records the information in our log. They delete the email immediately in order not to expose the PHI.
We are constantly amazed that the customer seems unaware that sending PHI to us by email is a potential breach. All of us have something like the following sentence as part of our email signatures.
REMEMBER: Typical email is not secure. Never include sensitive financial, personal, health, or account credential (eg. password) information in unencrypted email communications!
We are rarely questioned about this.
The recent theft of PHI from Anthem, Inc. brings home just how huge this problem of inadequately protected patient information actually is. Personal data on roughly 80 million insureds was compromised. The attack is believed to be linked to China.
While none of our customers need to worry about being hacked on this scale, many appear not to be worried about improper data release on any scale. Earlier this month, FierchHealthIT indicated that it is incumbent upon provider organizations of all types and sizes to more seriously educate their employees and enforce their policies. Having the policies and procedures without educating employees and enforcing them would likely be considered ‘willful neglect’ by the Office for Civil Rights (OCR), the enforcer of the HIPAA mandates. According to a January 2013 article in the American Bar Association’s Health eSource, “the HIPAA Enforcement Rule defines ‘willful neglect as conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 45 C.F.R. § 160.401.”
It is the ‘reckless indifference’ part that worries me. Our customers are very concerned about their patients. They are serious about confidentiality of their data. But they often demonstrate such lack of concern about the security of that data that I fear it would be considered ‘reckless indifference’ by OCR. It makes me feel no better that a similar casual attitude seems to exist in most of the physician offices I visit.
If the things said in this article and those I have quoted make you vaguely uncomfortable, it is likely time to revisit your own policies and how they are enforced. If what I have written here is totally new information to you, you must educate yourself and your staff and get to work protecting your patients’ PHI. If you and your co-workers are excellent at following your policies, please share with us how you came to be so!
Just enter your comments below.