The trusted source for
healthcare information and
Is your facility using unprotected e-mails?
Penalties for noncompliance could be steep
A survey by Dallas-based ZixCorp, a global provider of e-messaging management and protection services, indicates that many leading health care organizations are transmitting e-mail messages containing federally protected health information over public networks without using appropriate safeguards.
The study analyzed a sample of 4.4 million e-mail messages sent and received by more than 7,500 health care organizations (health insurance plans, hospitals, and physician practices), representing the inbound and outbound traffic for approximately seven days for each of the audited organizations, to determine what percentage of such messages contained protected health information. It found that, on average, more than 53% of the top 100 U.S. health care chains and health systems, and 35% of the top 60 health care payers, had transmitted via plain text e-mail information that the organizations are required to protect under HIPAA.
Overall, 4.4% of outbound e-mail that was analyzed contained protected health information, with the totals ranging from 1.9% to 11%. The study covered unencrypted e-mail traffic from organizations that had implemented a number of different kinds of solutions, including a variety of technology solutions, a reliance on directives to employees or internal policy-only solutions, and a combination of these measures.
ZixCorp vice president of products and strategy Dan Nutkis tells HIPAA Regulatory Alert that in many health care organizations, patient privacy is being compromised through the use of nonsecure electronic communication. "In some cases," he says, "the health care organization is unaware of the potential impact and/or ramifications it has on the company. In other cases, the organization does know the risk and does not think there is a practical solution that can remedy the situation."
Implications drawn from the findings in the report are that:
• Many organizations still may not recognize that there is a legal requirement to provide appropriate protection for protected health information in e-mails.
• Organizations have implemented a number of different kinds of solutions, including a variety of technology solutions, a reliance on directives to employees or internal policy-only solutions, and a combination of these measures, not all of which may be working as expected.
• While many organizations may have installed various kinds of technology solutions, they may not have established the appropriate accompanying policies requiring that the technologies be used or may not adequately be enforcing their policies, resulting in some avoidable transmission of protected health information.
• Records of unprotected e-mail are created wherever the e-mail is sent, as those e-mails normally reside indefinitely on the recipient’s e-mail server or in their archives. These records can be used as evidence of noncompliance by government regulators or by lawyers in civil suits.
ZixCorp says that if its findings are extrapolated, it would mean that an organization that transmits 100,000 e-mails annually and does not either eliminate the use of e-mails containing protected health information or appropriately safeguard that information is likely to transmit an average of 4,400 e-mails a year that contain unsecured information. That would expose the organization to civil penalties under HIPAA of $440,000 a year. While it is possible that such penalties would be subject to a calendar-year statutory cap of $25,000, ZixCorp says it is not yet clear how the provisions will be enforced, and the cap may not apply.
Also, sending any e-mail that contains protected health information without encryption to or for use by someone not properly authorized under the HIPAA privacy regulations, or for some purpose not authorized by the regulations, could be grounds for criminal charges. Each affected e-mail could support a separate charge, and each charge could support a penalty ranging from $50,000 and one year in prison to $250,000 and 10 years in prison if the transmission was for a commercial activity. "Potential criminal penalties could therefore be astronomical," Nutkis says.
Encrytion is key
One of the key issues, according to the ZixCorp report, is the electronic trail that is created when unprotected e-mails are transmitted. Nutkis tells HRA that in addition to the copy saved on a sender’s e-mail server, every time a message is sent, a copy also is saved on the recipient’s e-mail server and on any relay servers between the sender and receiver.
"These additional copies are out of the sender’s control," he says, "and remain as proof of the sender’s choice not to protect the content of the message. These e-mails could be used by those that control the servers they reside on for any number of purposes, including possible lawsuits or reporting to regulatory agencies."
Since it is highly unlikely that many organizations could succeed in completely eliminating use of e-mail that transmits protected health information, or would want to do so, it appears, according to ZixCorp, that encryption technology is becoming the reasonably prudent standard of care for the transmission of e-mail containing protected information.
The report says that encryption is mandatory under HIPAA unless a health care organization has analyzed its use of e-mail and determined that its practices do not put protected information at risk. The company says such a defense will be difficult or even impossible for any organization that uses e-mail to send protected information regularly.
Nutkis says encryption is the only way to ensure complete confidentiality and privacy of an e-mail message. Some encryption techniques are more effective than others, he adds.
ZixCorp says that while it may be possible to send a few e-mails every now and then in response to specific circumstances without creating much risk, any routine or reasonably high volume of e-mail will create serious risks. The greater the volume of e-mail, the higher the risk and the more evidence that will be available against the organization if there is an enforcement action.
"There is substantial risk some messages will be sent to or received by the wrong individual; read by unauthorized individuals such as the recipient’s employer or co-workers, family, roommate, or friends; or intercepted in transmission by a hacker," the report says. "An organization that knows of this kind of risk is required, under HIPAA and as a matter of ordinary prudence, to take reasonable steps to address it."
In addition to using encryption technology, the report says, organizations need policies that include clear statements that encryption is required for any Internet transmission containing protected health information, and that violations of the policy would be grounds for appropriate sanctions. Training should be provided, as should occasional encryption awareness reminders, which might be included in e-mails and other cost-effective communications.
ZixCorp says that establishment and enforcement of policies and procedures for the use of encryption can help organizations ensure it will be used and shift responsibility and liability to users who choose to disregard such policies if their failure to encrypt causes a violation of HIPAA or individual privacy rights.
"Managers need to determine the types of information that are currently being sent via e-mail that, according to regulations and prudent practices, should be protected," Nutkis advises. "They should then establish a corporate policy to encrypt this information any time it is contained in an e-mail message. One solution is ZixCorp’s ZixCorpVPM, which provides an automated method for both detecting and encrypting protected health information any time it is included in the header, body, or attachment of an e-mail message. Our HIPAA lexicons are designed to detect all types of sensitive information including those required by mandated regulations, standard of care guidelines, and prudent practices. Additional criteria health care organizations should consider include level of security, authentication, ease of implementation, ease of use, and cost/impact to end users.
"From a management perspective, it’s all about risk management, so the question to ask yourself is, Have I done a risk assessment and made a rational decision about how to manage that risk?’"
[More information is available at www.ZixCorp.com, or telephone Dan Nutkis at (888) 771-4049.]