HIPAA Onsite Custom Compliance Audit
Newsletter Oct 3 2014/HIPAA Violations and Unencrypted E-Mail; Beware!
We at SPI are continually asked to help clients in the health care industry address compliance challenges when it comes to PHI and ePHI (protected patient information).
We have found in our thirteen years of conducting compliance audits, however, that sometimes the simplest safeguards when overlooked can cause nightmare consequences when it comes to passing a HIPAA compliance audit. One big hole? Employees in your office sending unencrypted emails containing patient information. Another, sending unencrypted email TO patients. We pose this dilemma and ask for clarification as outlined in our request below:
Covered entities and business associates seek clarification from the Department of Health and Human Services that they are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. The following comment and response by Department of Health and Human Services is excerpted from the Health Insurance Portability and Accountability of 1996 Act (HIPAA) Final Rule, dated January 25, 2013:
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations
This final rule is needed to strengthen the privacy and security protections established under the Health Insurance Portability and Accountability of 1996 Act (HIPAA) for individual’s health information maintained in electronic health records and other formats. This final rule also makes changes to the HIPAA rules that are designed to increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements with those under the Department’s Human Subjects Protections regulations.
Comment: Several individuals specifically commented on the option to provide electronic protected health information via unencrypted email. Covered entities requested clarification that they are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. Some felt that the ‘‘duty to warn’’ individuals of risks associated with unencrypted email would be unduly burdensome on covered entities. [Editors Note: Also applies to Business Associates under Final Rule]
Response: We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the ‘‘duty to warn’’ individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual. [Editors Note: Also applies to Business Associates under Final Rule].
Well, as you can see, you simply cannot be too careful in this area. With any governmental regulatory body the best rule is “forewarned is forearmed.” Be sure your employees are aware of this information!
For more information on HIPAA Compliance Auditing or our new subscription based service, HIPAAFocus, email us at email@example.com, visit us at www.saturnpartners.com
The Saturn Partners… Securing Your World Since 2001..
Liked What You Just Read? Join the Highest Level Newsletter in the InfoSec Industry.