Subject: Medication for New Employee
Sorry for the email instead of waiting for your call, but as the insurance agent for your medical group I thought I would ask you a quick question by email as a follow-up to my voicemail. We show that your new employee, Bob Smith, is currently taking Crestor. Since there is no generic for Crestor, can you ask him if he can switch to a generic alternative, perhaps Zocor or Lipitor? This will help to keep your practice’s premiums a bit lower over the long term.
Thanks in advance,
YES, THAT’S A PROBLEM
If Anne’s email is not blocked before it is sent, or if that email went through and was not encrypted, that is definitely a problem, since it violates HIPAA’s Privacy Rule. Anne shared Protected Health Information (PHI) unnecessarily – in this case, the use of the employee’s name and a medication they are taking in an email that was not protected from disclosure.
We have recently conducted a healthcare-focused survey for Netmail and found that Anne’s type of HIPAA violation is just waiting to happen in the real world. For example, our research found that:
- 33% of the organizations we surveyed do not have a data loss prevention (DLP) solution that will monitor outbound email for potential HIPAA/HITECH violations.
- 20% have not established any anti-spam, anti-virus, DLP, encryption or other standards with organizations with which they have HIPAA Business Associate Agreements.
Our research also found that various file-sharing and social media tools are used in healthcare organizations, including Dropbox, Box, Google Drive, Microsoft OneDrive, SharePoint, Novell Vibe and a variety of other tools. While these tools are quite useful and almost always work as advertised, their use in a healthcare-related environment – hospitals, clinics, medical practices, doctors’ offices, insurance companies, benefits administrators and others that share PHI – might not be a good idea without the appropriate technologies in place to protect against accidental or intentional disclosure of confidential or sensitive information.
CONFIDENCE IS NOT HIGH
As a result, many of the organizations we surveyed aren’t all that confident that they’re managing their organization very well. For example:
- Only 59% of those surveyed believe that their organization is doing a “good” or “great” job at managing compliance.
- The same proportion believes they are doing a good or great job at preventing data leaks.
- 58% think they’re doing a good or great job at managing secure file sharing.
WHAT SHOULD YOU DO?
Interestingly, neither HIPAA nor HITECH require that PHI be encrypted during transmission or at rest, although some states require encryption, including Oregon and Minnesota. As a matter of best practice, however, all Covered Entities and Business Associates should encrypt data to ensure that unauthorized parties cannot intercept PHI.
The US Department of Health and Human Services has established some useful guidance on the encryption of PHI. For example, in the HHS Request for Information entitled Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009 PHI, is deemed “unusable, unreadable, or indecipherable to unauthorized individuals” if at least one of the following conditions are met:
- Encrypted PHI will satisfy the requirements of the HIPAA Security Rule if it meets the definition of encryption as specified in 45 CFR 164.304: “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”.
- The media on which PHI is stored has been purged of any sensitive content in accordance with NIST Special Publication 800-88, Guidelines for Media Sanitization.
The bottom line for any healthcare-related organization is this:
- Implement appropriate safeguards – including user training and encryption technologies – that will enable PHI not to be intercepted by unauthorized parties.
- Limit employee access to tools that will not guarantee the security of confidential or sensitive information.
- Analyze your processes, technologies and other safeguards to ensure that PHI and similar types of information are protected, and revisit these issues periodically to ensure continued compliance.