In the highly regulated and litigious world in which we live, sending, receiving or managing sensitive documents and data through email or services that use email can be plain negligent. Unfortunately, many healthcare businesses are transporting Protected Health Information (PHI) and Social Security details by email or services that use email every day because they misunderstand or dismiss the risks. This article seeks to state the issues and clarify the key points that are often misunderstood.

Email risk

Although email is used every day by almost every organization, it is inherently insecure and the risks of using this type of data transmission for PHI are not fully appreciated.

When a company or organization uses an internet fax service that utilizes fax-to-email or email-to-fax to transport the document, that email content gets read and stored multiple times en route by ISPs, servers, firewalls, virus checkers and, perhaps more worryingly, unscrupulous ‘bots’ that harvest email data. Additionally, IT staff members may be able to access these emails, perhaps using traffic monitors or packet sniffers (that look for particular content or key words), at any of the points at which an email might be stored or through which it transits.

It is not just the email content that is at risk either: typically 30% of emails contain attachments which are also at risk at each and every stage above. Some fax-to-email providers claim to use protocols that ‘encrypt’ the attachment but in truth all this does is put a ‘wrapper’ around that document which if decrypted means the unauthorized party has the entire document intact.

However, most fax-to-email providers use unencrypted emails which can be easily intercepted by unauthorized parties, sometimes with malicious intent. The consequences are serious and can result in significant fines, loss of customers and, possibly, business failure.

Penalties

The current penalties for HIPAA (Health Insurance Portability and Accountability Act) violations are $25,000 to $1.5million, depending on the scale and nature of the violation. Furthermore, an individual who knowingly discloses individually identifiable health information may face a criminal penalty of $50,000 and a one-year imprisonment. Many providers do believe they comply with the latest HIPAA encryption regulations but in reality they may only be ‘compliant’ in a very limited set of circumstances, which require high levels of IT support.

A further point to note on the regulations above, is that if an unencrypted email that contains PHI is sent across the internet, a violation of HIPAA may have occurred even if the email was not intercepted. The fact that it was available for review by an ISP or a third party is enough to expose penalties under HIPAA.

In addition, fax-to-email systems make it difficult, it not impossible, to track missing faxes. Often there is no genuine audit trail at all and there are major limitations in tracking document delivery.

Organizations that wish to successfully compete in the healthcare sector must deploy appropriate technologies to protect documents and data, at rest and during transmission. Failure to do so not only risks day-to-day patient confidentiality but can also jeopardize an organization itself through potential fine, reduction in customer confidence and loss of business. However,it is possible to put a number of physical, organizational and technical measures in place to protect PHI and ensure HIPAA compliance.