Paubox blog: HIPAA compliant email made easy

What violates HIPAA in email?

Written by Kirsten Peremore | March 19, 2024

Email is a common communication tool in healthcare, as evidenced by the 361.6 billion emails sent daily. According to Paubox’s January 2024 breach report, email breaches affected 137,008 people, marking it as the third most common type of breach. These breaches occurred through unauthorized access to or disclosure of protected health information (PHI) via email.

See also: What are the penalties for HIPAA violations?

 

What violates HIPAA in email

  1. Sending PHI without encryption (Security Rule, §164.312(e)(1) - Transmission security): This section requires covered entities to implement technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic communications network. Sending PHI via email without encryption means the data could be intercepted and accessed by unauthorized individuals, constituting a violation.
  2. Unauthorized disclosure of PHI (Privacy Rule, §164.502(a) - Uses and disclosures of PHI): This involves sharing PHI with individuals or entities not authorized to receive it, which can easily happen through email, either intentionally or accidentally, such as sending to the wrong recipient.
  3. Lack of access controls (Security Rule, §164.312(a)(1) - Access Control): This section mandates that covered entities implement technical policies and procedures that allow only authorized persons to access electronic PHI (ePHI). Failure to restrict access to emails containing PHI, such as not using secure email accounts or not enforcing strong authentication practices, can lead to unauthorized access.
  4. Failing to obtain patient consent before using email for communication (Privacy Rule, §164.508 - Uses and disclosures for which an authorization is required): If a healthcare provider wishes to communicate PHI via email, they must first obtain explicit consent from the patient to do so, acknowledging the potential risks. Skipping this step is a violation.
  5. Not providing adequate training on email policies (Security Rule, §164.308(a)(5) - Security awareness and training): This section requires covered entities to provide regular training to all workforce members regarding their security policies and procedures. Failure to train staff on safe email practices, including the secure handling of PHI, can lead to violations due to negligence or ignorance.
  6. Ignoring or not notifying breaches (Breach Notification Rule, §164.404 - Notification to individuals): If there is a breach of unsecured PHI, such as through an email hack or accidental disclosure, covered entities are required to notify affected individuals without unreasonable delay and no later than 60 days following the discovery of the breach. Not adhering to this notification requirement is a violation.

See also: HIPAA Compliant Email: The Definitive Guide

 

The common causes of email violations 

Phishing attacks

Cybercriminals send an estimated 3.4 million emails, each of these intended to appear as though they are from trusted senders. Phishing attacks involve malicious actors deceiving individuals into providing sensitive information, such as login credentials, or clicking on links that install malware. Healthcare employees may not always be able to distinguish between legitimate and malicious emails, especially when attackers use sophisticated tactics that mimic real correspondence.

 

Lack of encryption

Encryption is a method of converting information into a code to prevent unauthorized access. Interestingly, an ESG Report Operationalizing Encryption and Key Management found that among organizations that experienced confirmed or suspected data loss incidents, 71% acknowledged the enormity of this issue. The report found that a lack of encryption was cited as the top reason for data loss for 33% of these respondents. An email sent without encryption can be easily intercepted and read by anyone who gains access to it during transmission. Some healthcare organizations may not use email services that automatically encrypt PHI due to cost concerns, lack of awareness, or technical constraints.

 

Misdirected emails

Misdirected emails, where an email containing PHI is sent to the wrong recipient, often result from human error, such as a typo in the email address, or system issues. Simple mistakes or the lack of proper verification processes can easily lead to such errors. The high pace of work in healthcare settings may exacerbate these issues, making them more likely to occur. 

Adding to the concern, Verizon’s 2023 Data Breach Investigations Report found that 74% of data breaches over the last year involved human error. This category includes incidents where employees either directly exposed data or inadvertently provided cybercriminals access through mistakes. 

See also: Top 10 HIPAA compliant email services

 

FAQs

Can I email PHI to another healthcare provider without violating HIPAA?

Yes, you can email PHI to another healthcare provider for treatment purposes without violating HIPAA, but it is essential to ensure that reasonable safeguards are in place, such as encryption and verifying the recipient's email address.

 

Is using a regular email service provider a violation of HIPAA?

Using a regular email service provider can be a violation of HIPAA if it does not offer the necessary security measures, such as encryption and access controls, to protect PHI. Covered entities should use email service providers that explicitly offer HIPAA compliant services like Paubox and are willing to sign a BAA.

 

What should I do if I accidentally send PHI to the wrong email address?

If you accidentally send PHI to the wrong email address, you should report the incident to your organization's privacy officer immediately. The incident will need to be assessed for potential risk to the patient's privacy, and if necessary, reported to the Department of Health and Human Services (HHS) as a breach, and the affected individual(s) must be notified according to HIPAA's Breach Notification Rule (§164.404).