Unnecessary and legacy protected health information (PHI) in email systems continues to plague Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates facing otherwise minor business email compromise events. Due to enhanced security technologies and effective incident response policies, fast‑acting and diligent IT staff can often contain email incidents within hours or even minutes of an initial attack, limiting the number of accounts involved in an incident and sometimes preventing mailbox synchronization.
However, even when small numbers of emails are compromised, organizations often identify voluminous email attachments containing vast amounts of PHI. Sometimes, a mere handful of compromised emails can contain PHI for tens or hundreds of thousands of individuals. For organizations without an email archiving system, affected PHI may be attached to legacy emails no longer relevant to any operational or healthcare need that could have been archived years prior. These situations quickly transform a small incident into a major notification event, leading to larger class action suits and heightened regulatory scrutiny.
Although HIPAA does not prohibit using email to exchange PHI, the Department of Health and Human Services Office for Civil Rights has long required policies and procedures that guard against unauthorized access to PHI in email and adequate security protections for PHI stored in email systems. Yet healthcare organizations continue to underestimate the volume of PHI in their email systems and overestimate the security of those systems.
While complete elimination of PHI from email may be the most effective method of protecting PHI and limiting exposure, many healthcare organizations rely heavily on email for administrative and operational functions. For example, certain workflows related to scheduling, billing and discharge planning are well suited for email communication and may rely on large spreadsheets with numerous patient entries.
To significantly reduce exposure and enhance compliance, HIPAA-covered entities and business associates can implement straightforward and cost-effective security measures for email protection. These measures include archiving old emails and using secure email or encryption for any PHI shared by email, especially internal emails – which are frequently not subject to an organization's encryption or security requirements but typically contain the greatest volume of PHI. In addition, email filters can be implemented to detect PHI and alert users before an unsecured email is sent. These safeguards should apply to all patient information exchanged by email, regardless of volume or sensitivity, given the broad definition of PHI under HIPAA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
