HIPAAlive
& Kicking
Here we highlight significant HIPAA issues "kicked
around" by our HIPAAlive subscribers. HIPAAlive is a very busy
two-way discussion listserve with more than 5,000 professionals
exchanging ideas and answering each others' questions on HIPAA.
Read past HIPAAlive &
Kicking articles.
PHI via Email & the Security Rule
A recent question posted to our HIPAAlive list generated a spirited
discussion regarding the transmission of protected health information
(PHI) via email in the course of healthcare operations. The question
that kicked off the debate came from an IT Manager in Missouri:
"I'm hoping to find some suggestions on how PHI via email is
currently being handled by other covered entities. Our organization
is considering using only patient account numbers (not a SS number)
in email correspondence. No other patient identifying information
would be used. Would this satisfy the [Security] rule?"
No Simple Answer
Unfortunately, this type of question cannot be answered with a
simple "yes" or "no." The real answer is that
an organization must first understand the components that make up
PHI (or patient identifying information), they must then assess
the risk or likelihood that email containing PHI could be intercepted,
and finally they must utilize the results of their assessment to
address the requirements of the HIPAA Security regulations. HIPAAlive
list members indicated that, based on a variety of factors, they
chose one of the following three options: a) allow the inclusion
of PHI in business email transmissions, while employing security
measures of varying degrees, b) allow general email, but not for
transmission of PHI, or c) ban the use of email altogether.
PHI & HIPAA
Both the HIPAA Privacy and Security Regulations (as well as some
state legislation) address the confidentiality and protection of
medical records and other personal health information. Under the
Security standards, covered entities must establish procedures and
mechanisms to protect the confidentiality, integrity and availability
of electronic protected health information (ePHI).
PHI includes any piece of information that could be used alone,
or in combination with other data, to determine the identity of
a patient. This type of information includes obvious data such as
name, address, social security or telephone number, as well as less
obvious data such as an account number, an e-mail address, or even
zip code.
Risk Assessment
Specific requirements for a full organizational risk assessment
are outlined in the Security Regulations. On a smaller scale, the
organization must examine the risks and benefits of email, before
making any decision regarding the inclusion of PHI. The most common
risk is that the contents of a confidential email message might
be intercepted by an outside party or accessed by an unauthorized
recipient. This includes email exchanged by or between covered entities,
as well as email to or from a patient. One member summarized as
follows: "This all depends on your risk assessment and the
level of risk you wish to accept as an entity. While the likelihood
of email being intercepted in transit is minimal, it does exist.
The email could also be read by a spouse or family member with access
to the patient's email account." A Hospital Health Information
Compliance Coordinator & Privacy Officer added: "Of even
more concern are retransmission to another entity altogether (ad
infinitum) and printing out hard copies. The clincher for me...is
that once received, the email is now locked into another PC or server
forever, and maybe more than one. Bottom line is that once transmitted,
the sender has absolutely no control."
The Chief Privacy Officer for a large health system advised, "...(T)he
level of utilization of email with ePHI, and/or the volume of ePHI
in each email, would be part of the consideration when determining
if the risk is significant. For example, emailing a large file with
many patients to an ambulance billing service carries more risk
than emailing one patient's cholesterol results on a one-time basis
because he is out of town."
Based on the results of the risk assessment, the organization can
determine the appropriate level of security, and the findings can
be documented to ensure compliance with the HIPAA Security Regulations.
"Some entities are using secure email appliances, others are
choosing to do nothing and accept the risk and document the steps
taken to make that decision. The [Security] Rule gives you the discretion."
Required vs. Addressable
Specifically, the Security Rule contains both "required"
and "addressable" standards - and encryption of information
transmitted via email is an "addressable" requirement.
Lorraine Doo of the Department of Health and Human Services clarified:
"It may be helpful to re-read the preamble on the subject of
the standards and the required and addressable implementation specifications
(page 8336 of the final rule)."
In meeting standards that contain addressable implementation specifications,
a covered entity will ultimately do one of the following:
- Implement one or more of the addressable implementation specifications;
- implement one or more alternative security measures;
- implement a combination of both; or
- not implement either an addressable implementation specification
or an alternative security measure. (In this scenario, the covered
entity must document the decision not to implement the addressable
specification, and the rationale behind that decision. In other
words, if you take no action, you must justify your decision.)
The entity must decide whether a given addressable implementation
specification is a reasonable and appropriate security measure to
apply within its particular security framework. This decision will
depend on a variety of factors...such as, the entity's risk analysis,
risk mitigation strategy, what security measures are already in
place, and the cost of implementation.
Many respondents cautioned against applying the reasonable and
appropriate criteria too loosely. The decision to take no action
should not be made lightly. For example, one HIPAA consultant noted:
"Surely the Security Rule was not written such that you could,
for example, identify being hacked as a risk, price out a firewall,
decide not to buy one, and document that in your opinion it was
not reasonable or appropriate. I think the intent was that if you
do find yourself in a situation where the expense, logistics or
other implementation aspects prove to be too much, you make some
other change to address the requirement. In the case of using email
for PHI, such a change could be deciding not to use email for PHI."
A HIPAA Compliance Program Manager added: "...it becomes 'reasonable'
to implement a solution since many and other alternative solutions
exist (e.g., SSL, encryption via gateway, encrypted zip files, etc.)."
One suggested starting point: "The question CEs [covered entities]
should ask themselves is what are other CEs doing that are my size
and that are in my line of business? These types of questions, in
conjunction with the risk analysis results, will help a CE determine
what is reasonable and appropriate."
Benefit vs. Risk
One additional consideration, outside of the anticipated risk,
is the expected benefit that may result from the use of email. Respondents
acknowledged a definite trade-off between patient care and privacy.
A Privacy Officer explained: "On the subject of sending PHI
via email, the one principle I rarely hear expressed is the balance
between benefit to patient care and risk. As a privacy officer,
I frequently need to balance the need for information in order to
provide timely and high quality care with the risk to the patient's
privacy. When one physician emails PHI to another, there is a risk
of interception but it is low. The benefit, however, resulting from
the exchange of information that may be critical to the patient's
care can be significant."
Even with policies in place to restrict the use and disclosure
of PHI, some organizations find that patient care invariably comes
first. The Director of Information Technology Security for a large
health system warned: "A policy is simply a guideline to many
people and although you might share it, explain it and teach it,
the first time a patient's care and health comes between your policy
and the patient, your policy will lose."
Options
Of those organizations intending to utilize email for PHI, the
majority have or will implement security measures to protect the
data. The most popular option was secure email, or encryption. A
Senior Security Analyst pointed out that secure email vendors offer
a variety of products and services scalable to an organization's
size and budget.
A Compliance Coordinator characterized their system as follows:
"We purchased a secure email system... . It's separate from
our Microsoft Outlook email system, but has a utility where you
can add a 'send secure' button onto your Outlook toolbar which automatically
sends the email through the secure system. Email recipients then
authenticate to the [secure] server to pick up their email."
The only potential problems mentioned were that the recipient had
to have internet access, and some recipients were unhappy with the
added responsibility. For example, one respondent said: "We've
implemented a secure email system (which our customers aren't entirely
happy about) and we monitor a sample of all outbound emails from
the non-secure system to be sure staff is not using that system
to send PHI."
Conclusion
Regardless of the specific decisions made by an organization regarding
email, first priority should be given to the protection of all PHI,
whether hard or soft copy. The Chief Privacy Officer for a large
health system stressed that: "The best reason to implement
security measures is not HIPAA, but rather to protect your patients
and your business by managing your risks."
|
