Email is Not HIPAA Secure

An interesting discussion happened in the comments about HIPAA secure fax services in regards to the security of email. Being a tech person who formerly managed a few different corporate email systems, sometimes I forget that many people don’t understand some of the details about the security (or lack of security) that’s provided by email.

The short story is: Email is NOT HIPAA Secure (at least in 99% of cases)

There is a way to encrypt email sent between 2 email systems, but so far a standard and mechanism for encryption between all the vast number of email providers has not been established. I won’t go into the details of why this is the case (cost of encryption, standards for encryption, etc), but suffice it to say that almost none of the email systems send encrypted email that would satisfy the HIPAA requirements.

In fact, most times when an EMR, PHR or other patient portal wants to send a secure email/message to someone they send an email which contains a link to an encrypted website that has a unique login. The reason they do this is because there’s no recognized and adopted standard for encryption of email. However, presenting Protected Health Information (PHI) through an encrypted webpage where someone has a unique login is HIPAA compliant and doesn’t require the receiving email system to understand the encryption. It’s a pain, but it’s the reality of privacy of health information right now.

One of the major reasons that many people think that email is secured is that a number of email providers (Gmail being the most famous for this) turned on encryption for all of their users. The misunderstanding is that this encryption is just for users logging in to check, read and send their email. It does not encrypt the email as it it sent from Gmail to the destination email system. Aleks, from Sfax described it similar to a postcard. It’s open where anyone listening can see what’s in the email with no traces left behind.

The only security email partially offers in this manner is the volume of emails that are sent. There’s such a huge volume of useless emails that there’s some security by obscurity benefits. Although, that security doesn’t meet well with the HIPAA requirements. Plus, remember that one thing that computers are great at doing is crunching large amounts of data.

One minor exception that I might make is that if you’re sending email in an internal email system, then it’s possible to set up email encryption. This is possible because you control the email system for the sender and the receiver and so there are ways to do this. However, I know very few people that have actually set this arrangement up. Probably because if they are on your internal email system they usually have access to your EMR and all the PHI can remain in the EMR instead of your email system.

Now many have said that you shouldn’t use the free email providers like Gmail. After reading this it should be clear. You shouldn’t use ANY email provider for sending PHI. So, whether you use Gmail or some other free email provider it shouldn’t matter since I’m sure you won’t be sending any PHI through email any more.

Of course, I’d recommend you use the free Google Apps version of Gmail since DrSmith@yourpractice.com is so much more professional than DrSmith985373@gmail.com. Although, that’s kind of a topic for a different discussion.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

63 Comments

  • Speaking as a patient, not in the medical field: I have had readily available public encryption keys for well over a decade. I send & receive encrypted mail almost daily. Yet, I have not a single medical provider who has any clue how to send or receive secure email, they fax everything–which is particularly ironic as faxing dates to shortly after the US Civil war (yes, look it up) and is not secure at all.

    …and lest you assume that I must be an IT guy to have been using encryption for more than a decade, no: My undergraduate degree in in photography, my graduate degree is in Theology.

    Encryption is both free & easy. There are two well accepted systems; OpenPGP and x.509 either one is far more secure than the hipaa encryption requirements, and both are free; of course if you’d rather pay than think, vendors are available. Either way, please, get out of the 19th Century and start encrypting.

  • This is really interesting… I didn’t know that email isn’t HIPAA secure either until my hospital got in big trouble for having us nurses texting patient info. We just got a HIPAA compliant texting service called Tigertext & now we can text whatever we want without getting fined!!

  • Well, Lance, I appreciate your comment, and many of we docs are regular users of encryption using tools like OpenPGP…but our patients are NOT. How do you suggest going about installing OpenPGP on our patient’s systems, most of whom use content scanning providers?

  • Hi Joe,
    Obviously it’s not your job to install encryption software on patients computers. But if I call your nurse and ask them to email a copy of my lab results, will your staff tell me:

    1) “Sure what’s your email?”
    2) “Do you have a public encryption key?”
    3) “We can’t email that, but we can fax it.”

    I’ll bet you lunch and pint of ale your nurse will say #3, and that’s why the lack of encryption problem persists nationwide.

  • Outside of the complete encryption of the body of an e-mail message, there is only one protocol which can effect true end-to-end encryption of e-mail and that is TLS encryption. http://en.wikipedia.org/wiki/Transport_Layer_Security

    When TLS is implemented between e-mail servers, the content of the messages exchanged between the servers is fully encrypted.

    This also means that the e-mail CLIENTS and/or or web interfaces which are used to send and receive must ALSO be encrypted using either TLS or SSL.

    The unfortunate part of the equation is that most e-mail vendors are not currently using TLS to encrypt the messages sent between the e-mail servers and that makes the messages send via the public internet the equivalent of a post card: anyone who has access to any device which is part of any of the networks through which the data passes can read the message and content.

    In response to the several questions posed regarding whether PHI can be sent in an e-mail when a patient requests such data be send, the answer is NO!

    There is NEVER an allowable situation when PHI can be transmitted in an unencrypted e-mail message, whether by patient request or not.

    This also applies to inter and intra-office communications, because almost all office networks are connected to the internet cloud at some point and that means that someone who has the proper skills and technology available to them can, and at some point, will, snoop the traffic on the local network.

    Remember, data is on a NEED TO KNOW BASIS under the latest HIPPA rules. The receptionist does not have the right to know about the diagnosis, etc. No one should have access to any of the patient data outside of what they need to work with a patient. If someone does not work with a patient, they should never be allowed to pull up the patient record and look at it.

    The rules are strict for a reason – CONFIDENTIALITY.

    I work in many different offices as a consultant and am amazed at the amount of gossip and non essential communication goes on regarding patient diagnosis. Under the latest HIPPA/HITECH regulations, I am a BUSINESS AGENT and have the obligation to tell the supervisory staff of the violations. I have been told to mind my own business on several occasions and remind them that if they do not correct the problem I have a legal obligation to open a report with OCR.

    Keeping patient PHI private is everyone’s responsability, ALL of the time!

  • Interesting discussion, which I hope to re-energize! Note that the newly published Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (the long awaited HITECH final changes to HIPAA) has within the commentary section for 45 CFR 164.524(c) that providers are permitted to send individuals unencrypted emails, if they advise the individuals of the risk and the individual still wants the communication anyway. HHS seems to imply that this is just another way to meet the requirement that a health care provider must provide copies of health information in an electronic form or format as requested by the inidividual. At least the Feds are saying that providers are not responsible for unauthorized access of health information while in transmission to the individual based on the individual’s request. Won’t stop a lawsuit, of course.

  • Mary,
    Good find. This also doesn’t likely cover internal communication about a patient. So, 2 doctors discussing a patient over email is still likely a HIPAA violation.

  • What about an email with the capability to manually encrypt emails and/or attachments where the email is encrypted inside and outside of the email domain until it gets to the recipient?

  • With the right mix of encryption, identity, and permission you can send something like a secure email. However, out of the box email doesn’t provide those things.

Click here to post a comment
   

Categories