How to handle HIPAA violations in emails

In case of a HIPAA violation via email, stop the spread immediately and report it internally. If needed, externally report the incident to the Department of Health and Human Services (HHS), notify affected individuals transparently, take corrective action, seek legal guidance, and continuously improve compliance protocols for better safeguards.

Understanding HIPAA compliant email communication

According to the HHS, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. ". 

• Encryption: Employing encryption protocols ensures that any email with protected health information (PHI) is safeguarded against unauthorized access, rendering the information indecipherable to unintended recipients.
• Secure access: Implementing stringent access controls involves passwords and multi-factor authentication, restricting access solely to authorized personnel.
• Patient consent: Obtain explicit consent from patients before transmitting sensitive health information via email. 
• Secure platforms: Using HIPAA compliant email platforms strengthens the email system's security layers, adding an additional shield against potential breaches.

However, email is the second most common breach location, affecting 108,199 individuals. Various actions contribute to its frequent occurrence:

• Sending unencrypted emails containing sensitive patient data can expose information to unauthorized individuals.
• Allowing unauthorized access to patient information, whether through compromised passwords or inadequate access controls, constitutes a breach.
• Transmitting sensitive information without explicit patient consent violates their privacy rights and contravenes HIPAA regulations.
• Using non-secure platforms for transmitting PHI exposes the information to vulnerabilities, potentially leading to breaches.

Related: Why HIPAA breaches related to email are so common

Immediate actions upon discovery

• Stopping the spread: Immediately recall or retract the email if possible. Assessing the breach's extent aids in devising an effective response strategy.
• Reporting and internal procedures: Promptly notify the designated HIPAA compliance officer or supervisor for internal reporting. That will allow you to understand the criteria for external reporting to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). 
  
  

Mitigation and damage control

• Patient notification: Transparently inform affected individuals about the breach and detail the steps to mitigate potential harm. This communication should be clear, concise, and empathetic.
• Corrective actions: Implement corrective measures, such as comprehensive staff retraining and robust policy updates, to fortify the system against future breaches. Review and update technological safeguards and protocols to significantly contribute to bolstering security.
  
  

FAQs

Can patients opt out of receiving PHI through email?

Yes, patients have the right to request that their PHI not be communicated via email, and healthcare providers must honor this preference.

What are the consequences of not using a HIPAA compliant email platform?

Failing to use a HIPAA compliant email platform can result in data breaches, hefty fines, and damage to an organization's reputation due to noncompliance with HIPAA regulations.

What should be included in the patient notification following an email breach?

The notification should include details of the breach, the potential risks, steps being taken to mitigate harm, and contact information for further assistance or questions.