Data security is a major challenge in healthcare. With data breaches on the rise, it seems that criminals are increasingly viewing digital healthcare data as low-hanging fruit. According to the 2022 HIMSS Cybersecurity Survey, only 83% of healthcare IT professionals are receiving HIPAA-compliance training. Percentages among other healthcare staff like administrators and clinicians is much lower, despite those positions being crucially involved in handling sensitive information.
In today’s high-risk environment, physicians need to know how to transmit protected health information (PHI) to other parties safely and securely. This involves transitioning from email as a primary method of communication to a more secure HIPAA-compliant communication technology.
What Types of Patient Information Are Covered Under HIPAA?
The term PHI can describe a wide range of patient data collected by HIPAA-covered entities. Broadly speaking, PHI is considered any piece of information that can identify a patient disclosed when delivering or receiving a healthcare service.
A safe rule of thumb is to assume that any part of a patient’s medical record or payment history can constitute PHI, since both contain highly sensitive financial and medical information that can easily identify them.
Why Email is Not Considered a HIPAA-Compliant Method of Communication
Although email isn’t specifically banned under HIPAA, there are stringent rules around sharing PHI that make HIPAA-compliant communication all but impossible to attain.
Key reasons why sharing PHI through email is not considered good HIPAA-compliant practice include:
1. Inadequate Security Features
HIPAA dictates that any digital message containing PHI must be encrypted. As one of the earliest forms of online communication, it’s highly unlikely that email will be encrypted or have other modern security features in place. In fact, email is by default unencrypted and very difficult to encrypt. This puts most email communications containing ePHI clearly in breach of HIPAA.
Encryption alone is not sufficient to make email communications HIPAA-compliant. HIPAA rules also require an audit trail, monitoring of communications, and ID authentication to ensure that only authorized persons view the information. These requirements are costly in terms of IT resources and may still be insufficient due to the other factors on this list.
2. Lack of Control Over Patient Email Providers
Even if healthcare organizations feel confident in the security features of their own email provider, they have no control over the provider their patients use. If the patient uses an email provider lacking the property security measures (as is often the case), there is a risk that ePHI may be intercepted or hacked when exchanging emails with their healthcare provider.
3. Not Well-Targeted
Anyone can send an email to a known address or worse, to a mistyped address that happens to belong to someone. Relying on email as a primary means of communication often means that valuable or sensitive information ends up in the wrong place.
Examples scenarios of this vulnerability include:
- A patient contacts a secretary or other member of the healthcare organization’s administrative team with PHI.
- A patient leaves their phone unattended, and a friend or family member sees the email or notification on the device.
- A patient communicates using a work email that is accessible to their employer or colleagues.
4. Vulnerable To Phishing Attacks
A phishing attack is a type of cyber attack that uses an email disguised as coming from a trusted source (e.g., a healthcare provider) to trick the recipient into giving out personal information. The risk of a phishing attack significantly increases when an organization shares sensitive information via email. In one recent example, a healthcare employee’s email was compromised through a phishing attack that exposed roughly 12,000 patient files.
Can I Use Email With a Disclaimer or Waiver?
Email contains many security risks and should never be used when sharing PHI, even if the information is only being shared internally. Some healthcare organizations wrongly believe that the problem is solved if the patient signs a disclaimer or gives consent to have their health information shared through email. Sharing PHI through email will be in breach of HIPAA regardless of a disclaimer or consent form. PHI should only be transmitted through safe mediums such as HIPAA-compliant messaging apps.
HIPAA Compliance Staff Training for PHI Management
Good compliance starts with knowledgeable and conscientious staff. While employees and administrators aren’t likely to share PHI intentionally, HIPAA recognizes that there is a risk of doing so accidentally. HIPAA compliance training ensures that every medical and administrative staff member who handles PHI knows how to protect it.
To ensure up-to-date HIPAA compliance, consider giving staff ongoing HIPAA compliance training every 4-6 months. Training should include real-world examples of situations in which both administrative staff and physicians may need to share ePHI, alerting them to the HIPAA rules in each case (e.g., when referring a patient for additional care).
What Should Be Covered in HIPAA Compliance Staff Training?
Training for HIPAA compliance should be conducted at all levels so that staff are aware of best practices and can answer the following questions at any time, especially in the middle of a busy workday.
Where is PHI stored?
PHI should only be stored on secure devices belonging to the healthcare organization, not private devices such as personal cell phones. It should only be transmitted using HIPAA-compliant communication mediums.
What if you stumble upon PHI that you shouldn’t have access to?
All medical and office staff should also know the correct procedures to follow if they see PHI not meant for their eyes. This will usually involve reporting the breach to a senior staff member such as a compliance officer, who will help fix the issue and implement appropriate access controls to prevent future breaches.
How do I keep login information secure?
In addition to security measures such as two-step or multi-factor authentication when logging into a communication app, staff should know how to keep their login credentials secure. For example, healthcare organizations can use password managers that generate random, strong passwords for each account; these can also be used to keep passwords securely encrypted in a digital vault.
Does the healthcare organization have a business associate agreement (BAA) with the person you’re communicating with?
When communicating with business partners, staff should be aware that a BAA is required for information-sharing under HIPAA and which companies have one in place with your organization. Training sessions and reference materials can ensure that staff members have an easy way to verify the compliance of all partners.
Partner With a HIPAA-Compliant Patient Portal Provider
When using a digital medium to share PHI with patients and other providers, the only way to know for certain it will be secure is by using a HIPAA-compliant messaging app or portal.
At Medical Web Experts, our team of senior developers and security/HIPAA compliance experts are dedicated to creating custom safe solutions for healthcare organizations and patients. Contact us today to learn more.
