One of the notable causes of protected health information (PHI) breaches includes employees taking PHI home or forwarding it to personal accounts or devices, which accounted for 6.5% of reported incidents. The results section of ‘Evaluation of Causes of Protected Health Information Breaches’, a JAMA Network study that produced the aforementioned statistic, also noted, “Overall, 603 PHI breaches (53.0%) were internal, attributable to the health care entities’ own mistakes or neglect.”
The HIPAA Privacy and Security Rules require that PHI be protected at all times, especially during transmission and storage. Personal email accounts typically lack the robust security features, such as encryption and access controls, that are required for HIPAA compliance. The lack of security increases the risk of unauthorized access, interception, or disclosure of PHI. Breaches often occur when employees use unapproved methods to transmit or store PHI, including forwarding emails to personal accounts.
These actions bypass organizational protections designed to protect sensitive health information, making them inherently risky and likely to be deemed violations unless the personal account is explicitly secured and authorized by the covered entity, which is rare in practice.
When is forwarding emails a HIPAA violation?
Forwarding emails becomes a HIPAA violation when the action results in the unauthorized disclosure of PHI or when the transmission does not comply with the security and privacy requirements mandated by HIPAA. Employee mistakes, like sending PHI to the wrong recipient, using unencrypted email, or forwarding information to personal accounts, are common causes of breaches. The above mentioned study provides, “Among the 232 breaches (20.4%) that occurred during PHI communication, 152 (65.5%) were mailing mistakes and 80 (34.5%) were emailing mistakes.”
HIPAA requires that PHI only be shared with authorized individuals and that the minimum necessary information be disclosed. If an employee forwards an email containing PHI to an unauthorized recipient, including their own personal, unsecured email account, this constitutes a violation. If the email is sent without encryption or other required safeguards, it increases the risk of interception and unauthorized access, further violating HIPAA’s Security Rule.
Even accidental disclosures like forwarding emails to the wrong address are reportable breaches under HIPAA. Any forwarding of emails that circumvent organizational controls, lack proper encryption, or result in PHI being accessible to unauthorized persons is a HIPAA violation.
An example of violations due to forwarding emails to personal accounts
A news story that clearly shows a HIPAA violation stemming from staff forwarding emails to a personal account is the Multnomah County Health Department in Oregon breach. In this incident, an employee in the Health Department set up an automatic email forwarding rule on their work account, which resulted in all email correspondence being sent to their personal Google email account over a period of approximately three months.
The action was in direct violation of HIPAA, as the personal email account was outside the control and security infrastructure of the county health department, and therefore lacked the safeguards required to protect sensitive patient information.
The breach was discovered during a routine audit conducted on November 22, 2016. Upon investigation, it was found that the ePHI of 1,700 patients had been exposed. The types of information included in the forwarded emails were first and last names, ages, medical record numbers, medical diagnoses, dates of service, medication names, and prescription numbers.
While the investigation did not uncover evidence that any of the forwarded emails had been accessed or read by unauthorized individuals, the risk of inappropriate access could not be completely ruled out. Importantly, the emails did not contain Social Security numbers, home addresses, or phone numbers, which somewhat limited the potential for identity theft but did not eliminate the seriousness of the breach.
After the breach was identified, Multnomah County took immediate steps to mitigate the risk and prevent future incidents. The employee’s personal email account was deleted, ensuring that none of the forwarded emails could be accessed.
The reason staff prefer their personal accounts
Staff often forward work emails to their personal accounts for reasons rooted in convenience. Sometimes, technical restrictions on work devices like limited access to certain files or applications motivate staff to bypass official channels by using personal accounts, aiming to maintain productivity or ensure they do not miss important communications. An International Journal (KM&EL) study out of Turkey noted, “Employees can feel more comfortable when they access to enterprise network from anywhere, any time without any extra device or connection…Employees may not stay all day in the office and if they leave the office early, they may continue to work at any place which they feel themselves comfortable.” Once sensitive information leaves the secure confines of the organization’s IT infrastructure, it becomes difficult, if not impossible, to monitor or control.
The role of organizational policies
The responsibility of healthcare organizations extends beyond simply establishing policies; it involves creating a comprehensive framework of technical, administrative, and educational controls to prevent risky behaviors. Guidelines recommend that organizations implement clear policies explicitly forbidding the forwarding of PHI to personal or unsecured email accounts without explicit patient consent or organizational authorization, as forwarding without consent is both an ethical and legal breach.
Beyond policy, organizations must deploy technical safeguards through the use of HIPAA compliant email systems like Paubox that offer monitoring mechanisms to detect and block unauthorized forwarding attempts. These controls help address the human factor.
FAQs
What is a BYOD policy in healthcare?
A BYOD policy in healthcare outlines the rules and guidelines for employees using their personal devices, such as smartphones, tablets, or laptops, for work purposes, including accessing patient data and sending work emails.
What defines HIPAA compliant email in healthcare?
HIPAA compliant email refers to email communications that protect the confidentiality, integrity, and availability of PHI in accordance with HIPAA regulations. This includes using encryption during transmission, restricting access through authentication, maintaining audit trails, and ensuring that emails are not altered or destroyed improperly.
When is it permissible to send PHI via email under HIPAA?
PHI can be sent via email when using a HIPAA compliant email service that encrypts messages and limits disclosures to the minimum necessary.
Are common email platforms like Gmail and Outlook HIPAA compliant?
Standard Gmail and Outlook.com accounts are not HIPAA compliant by default. Compliance requires using enterprise versions (e.g., Google Workspace, Office 365) configured with encryption and security controls, plus signing a BAA with the provider.
How should healthcare organizations handle patient consent for email communication?
Organizations should obtain explicit patient consent before sending PHI via email and inform patients of risks associated with unencrypted email. Consent processes should be documented, and patients should be offered secure alternatives when possible.
Kirsten Peremore
