Why secure email fails when healthcare staff avoid the workflow

Secure email fails when healthcare staff decide the approved route slows down completing the task at hand. The Insight Global contact tracing incident is a case in point of how fast this can happen. The Department of Justice press release noted the company agreed to pay $2.7 million after allegedly failing to protect COVID-19 contact tracing health information.

Staff sent some information in unencrypted emails, used shared passwords, and stored or transmitted data via password-unprotected Google files, some of which could be accessed via internet links. The AP also reported at least 72,000 people were affected after employees used unauthorized Google accounts to store names, phone numbers, email addresses, sexual orientations, and other sensitive details.

What secure email is made for

Secure email should encrypt messages, reduce wrong-recipient exposure, support identity verification, preserve audit trails, and keep protected health information (PHI) inside systems the organization can manage.

Healthcare communication includes scheduling, referrals, claims, intake forms, lab results, vendor coordination, patient follow-up, and internal handoffs. If the security measures require more logins, confusing triggers, separate portals or manual workarounds, staff may start to think of security as something separate from the job, rather than something that is part of the job. NCBI Bookshelf research titled Patient Safety and Quality: An Evidence-Based Handbook for Nurses notes that in a broader health IT context when real processes are poorly understood, technology “may not be used and may even be a burden.”

Secure email should take the real path of communication, not the fantasy path. The system should help staff send sensitive information securely from the tools they already use, with encryption and security controls working in the background wherever possible. It should also help compliance teams to piece together what happened when a concern arises. The best secure email program is the one that feels natural for the user and is known by security teams.

Why staff bypass the approved workflow

Secure messaging can also boost communication and flow of information as asynchronous communication enables teams to respond at their convenience without the requirement of everyone being available at once. Despite this idea, an International Journal of Medical Informatics study reported a survey in which 63% of 43 clinicians across five clinics disagreed with the statement “secure messaging reduces my workload,” while 33% agreed that secure messaging increased work stress.

The findings indicate that healthcare staff often judge tools by whether they help them complete work safely and quickly. Even if a system is technically secure, it can fail in practice if it increases inbox load, generates duplicate documentation, causes delays in responses, or forces staff to figure out which messages need special attention.

Staff can copy information into email, save attachments elsewhere, forward messages to themselves, reuse shared accounts or pick the channel where the recipient responds the fastest. An Applied Clinical Informatics study on EHR-mediated communication found that 34% of EHR-mediated communication resulted in a workaround, showing how common these patterns can become when official tools do not fit into daily work.

Why healthcare is especially vulnerable

PHI flows through clinicians, front desk teams, billing departments, labs, pharmacies, payers, vendors, family contacts and outside care partners. Every handoff creates pressure to quickly and accurately transfer information. Healthcare Data Breaches: Insights and Implications found the healthcare sector accounted for 61.55% of breach incidents in a 2005 to 2019 multi-sector analysis, and from 2015 to 2019, healthcare accounted for 76.59% of incidents among the sectors studied.

The same study found 249.09 million people were victims of healthcare data breach episodes from 2005 to 2019, with 157.40 million records exposed from 2015 to 2019 alone. Hacking was responsible for 161.05 million exposed health records during 2005 to 2019, accounting for 64.65% of the exposed health records in this study.

What secure email should look like in practice

Staff should not have to stop in the middle of a busy workday to figure out whether a message needs encryption, whether a recipient can open a portal, or whether a file needs a separate transfer tool. A good healthcare email workflow is one that automates encryption, supports secure delivery with no friction for the recipient, verifies the sender’s identity, guards against spoofing and phishing, maintains searchable records, and allows administrators to oversee the system without requiring staff to take extra manual steps.

Health IT should augment real handoffs rather than replace poorly understood processes with tools that staff do not use. Same goes for secure email. Healthcare organizations should map the actual flow of PHI and then select controls appropriate to those flows. Paubox fits naturally into this discussion because HIPAA compliant email security works best when it lives inside the email workflow staff already use. Encryption should not feel like a separate errand. Inbound protection should reduce malicious messages before staff interact with them.

FAQs

Why do healthcare staff avoid secure email workflows?

Healthcare staff usually avoid secure email workflows when the approved process slows down routine work. The Secure Route is often harder than the job itself with additional logins, confusing encryption triggers, portal friction, attachment limits, and delayed responses.

Does HIPAA require encryption?

Encryption is addressable so organizations must decide if it is reasonable and appropriate for their environment.

What is a HIPAA compliant email?

A HIPAA compliant email process secures electronic PHI through the safeguards provided within the Security Rule.