According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), email breaches are on the rise.
The OCR maintains a database of breaches of unsecured protected health information affecting at least 500 individuals. MPA crunched some numbers, looking at OCR breach reports still under investigation for each six month period for the past 24 months. The number of email breaches reported to the OCR between the second half of 2017 and the first half of 2019 more than quintupled.
Let’s look at some real world examples to see how email use can breach HIPAA.
Hospital accidentally gives PHI for Suboxone patients to newspaper
A communications employee at a Maine hospital accidentally emailed information about 300 patients with opioid use disorder to the local newspaper.
The information included the patient names, their providers, and the fact that they take Suboxone, which is known as a treatment for opioid addiction.
The email forwarded an email with a patient spreadsheet to the newspaper’s investigations editor by mistake. Fortunately, the newspaper employee destroyed the file. But this accident reminds us of risks associated with emailing PHI.
Email Attachment Breaches Data of 993 Veterans
A VA medical center announced a HIPAA breach involving 993 veterans.
The breach occurred after a veteran’s family member asked the VA for a list of nursing home facilities that work with the VA medical center. In response, the VA accidentally emailed the family member a list that included veterans’ names, abbreviated SSNs, diagnoses, nursing homes where they were admitted, and service-connection disability rating percentages.
What you can do
To mitigate the risks of a HIPAA email breach, take a look at the excellent precautions the VA put in place after its breach:
- The VA is no longer keeping historic, rolling files.
- The VA has also encrypted and restricted this data, so a limited number of individuals can access them.
- The VA is no longer sending email attachments.
The corrective actions taken by the VA are excellent examples of practices that recognize the inherent risk of human error involved with email.
If you do decide to email PHI, consider getting patient consent first. In addition, MPA does not recommend using email to communicate patient information unless it is encrypted. And, when it comes to sending sensitive PHI, email should be avoided at all costs. Finally, if you have not done so already (or recently), MPA recommends using your HIPAA Security Risk Analysis to evaluate any email practices in your organization.