Wednesday, October 21, 2015

Email Risk and HIPAA

Incident at Sutter Health Emphasizes Email Risks

Sutter Health’s revelation that a former employee inappropriately sent patient information to a personal email account in violation of the organization’s policy is yet another reminder of the privacy risks posed by email communication.
In a Sept. 11 statement, the California healthcare delivery system says the billing documents for 2,582 patients that were inappropriately emailed included names, dates of birth, insurance identification numbers, dates of services and billing codes. For one patient, compromised information also included a driver’s license number. For another, the a driver’s license number and Social Security number were included.

The organization says it discovered the email-related incident during a review of the former employee’s email activity and computer access. Sutter launched an investigation on Aug. 27 after the organization learned of possible “improper conduct” by the former employee, who worked at Sutter Physician Services, which handles billing for Sutter Health’s physician medical foundations.
Most of the patients whose data was involved in the April 26, 2013, incident reside in the greater Sacramento region and are patients of Sacramento-based Sutter Medical Foundation, Sutter Health says. The California healthcare provider says it has no evidence that any of the patient information was misused or disclosed to others. But it’s offering affected patients are being offered free credit monitoring services for one year.
“Sending any confidential information to a personal email account is strictly prohibited,” Sutter Health says in a statement. “Sutter Health now has sophisticated software that helps block confidential information from leaving the organization unless appropriate safeguards are in place to securely send the information. Employees are also required to annually acknowledge and sign Sutter Health’s confidentiality agreement, which states that the employees agree to abide by and protect Sutter Health’s confidential data.”
A Sutter Health spokeswoman says that the former employee emailed copies of the information without authorization before more technology safeguards were installed and that Sutter Health now uses encrypted email. “Sutter works hard at protecting patient information, including implementing new technologies to enhance protection. I cannot provide specific details of those technologies - that’s among our safety efforts,” she says.
Unfortunately, privacy breaches involving unsecured email, as well as text messages, are a common problem in the healthcare arena, security experts say.
“My experience is that doctors and medical practice employees send PHI through unsecure e-mail all the time,” says security and privacy expert Mike Semel, founder of Semel Consulting. “During our assessments, we often hear that doctors and nurses text each other all day with no concern that the information is PHI,” he says. “When we explain that PHI is any communication that includes a patient identifier and information about their treatment, diagnosis or payment for healthcare, and not just the information in the chart, we are often met with surprise.”
Besides implementing encrypted email communication, such as by using the “Direct Exchange” protocol, healthcare entities can take other steps to safeguard patient information. For example, they can use data loss prevention programs that scan emails and documents containing sensitive data, such as Social Security numbers, before they’re transmitted, security experts say. Depending on the technology, the sensitive data can either be blocked from transmission or automatically encrypted.
Organizations also need to be wary of employees who work around measures that have been put in place to prevent breaches involving email, Semel stresses.
“When doctors have privileges in multiple hospitals, it is easy to use free webmail for communications wherever they are,” he says. “Even if you have a secure e-mail server in your practice that allows for secure messaging within your organization, sending a message to someone else, like a specialist, [using webmail] is not secure.”
Employees and clinicians need to be educated on the secure methods for sending communication involving PHI, Semel says.
Independent HIPAA attorney Susan Miller says many breaches involving unsecured communication likely aren’t being reported to the Department of Health and Human Services’ Office for Civil Rights, which tracks healthcare data breaches.
“I think they are as under-reported as sending a fax the wrong way,” she says. Tips on the do’s and don’ts related to email encryption are “not part of any training that most staff get,” she says. “I have been talking to my clients about just use WinZip for some protection,” she notes, referring to the zip utility web application, which encrypts email.

For more information on this and other topics related to HIPAA, HR, OSHA, and Medicare, please or visit our website at

Be sure to become a member of our Linkedin group by visiting;

To subscribe to this blog, enter your email address:

Delivered by FeedBurner