Unsecured transmission of Protected Health Information (PHI) is one of the most common types of HIPAA breaches, but it is also easy to safeguard against with the right solutions.
In simple terms, a breach occurs when PHI is accessed, used, or disclosed in a way that violates HIPAA regulations. For example, when protected information is transmitted over an unsecured channel.
PHI is subject to strict privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). A breach can lead to severe penalties like fines and being listed publicly on the Office for Civil Rights' "Wall of Shame."
Related: What is the OCR and what does it do?
What is a breach of Protected Health Information?
Before getting into unsecured transmission and what that means, let's look at the PHI that is usually involved. There's no definitive and exhaustive list of PHI because it varies depending on patient identifiers used during the course of their care. However, according to reports from the Department of Health and Human Services (HHS), the most commonly included identifiers in HIPAA compliance breaches are:
- Social Security Number
- Medical Record Number
- Address (including zip code)
- Health plan beneficiary number
- Email address
- Telephone number (including cell phone and fax numbers)
- Health insurance policy number or other insurance identification number
- Payment card information (credit or debit card numbers)
How do breaches of PHI usually happen?
HHS reports show that breaches commonly occur because of the following:
- Theft or loss of electronic devices
- Hacking and other cybersecurity incidents
- Insider threats
- Improper disposal of PHI
- Unsecured transmission of ePHI
It's this last type of breach, the unsecured transmission of ePHI, that we'll delve into more. ePHI transmitted over unsecured channels, such as email or messaging apps, may be intercepted by unauthorized individuals, leading to breaches.
In our digital world, it's one of the likeliest ways your practice or healthcare organization will run afoul of HIPAA regulations.
Unsecured transmission of PHI
Unsecured transmission of PHI occurs when PHI is transmitted over unencrypted email, faxes or messages without safeguards to protect the information. This can happen in a variety of ways, including:
- Sending unencrypted emails containing PHI: Emails that contain PHI should be encrypted to prevent unauthorized access. If the email is not encrypted, it can be intercepted by third parties, including hackers and other malicious actors.
- Sharing PHI through unsecured messaging apps: PHI should not be transmitted through unsecured messaging apps without encryption or other appropriate safeguards.
- Faxing PHI to the wrong recipient: If a fax intended for a healthcare provider is accidentally sent to a business or individual without a legitimate need for the information, it can be considered a HIPAA violation.
How to avoid unsecured transmission of PHI
To avoid unsecured transmission of PHI, covered entities like your healthcare practices should:
- Use secure email systems: HIPAA compliant email supports encryption and offers other appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI.
- Use secure messaging apps: If messaging apps are used to communicate PHI, they should be secure and meet the requirements of HIPAA. This includes encryption and authentication.
- Implementing secure faxing processes: Covered entities and business associates should implement secure faxing processes, such as ensuring that faxes are only sent to authorized recipients and using fax cover sheets that clearly identify the intended recipient and any confidentiality requirements.
Related: Can I send a HIPAA compliant fax?