Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Lawsuit – PHI by Un-encrypted Email

Written by:

In kind of ironic timing, the news was recently reported of a patient talking to lawyers about a possible lawsuit against a doctor who sent her protected health information (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you should go read through the comments, they’re very interesting).

One interesting part of the above news story is that it didn’t even include the most common personal information used for identity theft. Certainly a person’s name and medical information should be kept private as well and could have consequences related to its release on the internet. However, it definitely doesn’t bring out the privacy critics like a breach of financial related info would bring.

While I personally hate lawsuits, a part of me kind of hopes that this or some other lawsuit happens related to email and PHI. Not because I like lawsuits or I want someone to be held responsible. Mostly because we could use some legal precedent to better enable those who want to use technology like email. Until the precedence is set (or a more specific law), I think that many people are just too afraid to use email for any sort of health care related communication.

In the comments I mentioned above, someone even commented about them wanting a doctor who would let them waive their right to privacy in the name of convenience. Basically, they would rather use email to communicate even PHI at the risk of someone seeing their health information so that they can use communication tools like email in their healthcare. I bet there are a lot more people who would opt in for this also. The problem is that the law is such that I don’t know many doctors who are willing to take the risk even if the patient gives them permission.

The best alternative right now is the patient portal where a patient receives an email saying something has been added or updated on the portal and invites them to login to the private secured portal to see the PHI or other health information. Not perfect and not that broadly adopted.

Lots of other issues related to email with doctors, but at least resolving the privacy and security ones would allow us to focus on those other issues.

December 29, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.

Email is Not HIPAA Secure

Written by:

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since DrSmith@yourpractice.com is so much more professional than DrSmith985373@gmail.com. Although, that’s kind of a topic for a different discussion.

December 23, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus. Healthcare Scene can be found on Google+ as well.