Safely transmitting PHI

The HIPAA Security Rule, “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must: ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit”

Protected health information (PHI) is subject to strict privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). A breach can lead to severe penalties like fines and being listed publicly on the Office for Civil Rights' "Wall of Shame." Unsecured transmission of PHI is one of the most common types of HIPAA breaches, but it is also easy to safeguard against with the right solutions.

What is PHI?

Protected health information, commonly referred to as PHI, is a term governed by the HIPAA privacy rule. It encompasses any piece of health-related or personal information that can be used to identify an individual. PHI includes current health information and information related to an individual's past or future mental or physical health. The HIPAA privacy rule imposes strict requirements on the handling, transmission, storage, and disposal of PHI, granting patients the legal right to privacy and security of their information.

Read more: What is the HIPAA Privacy Rule?

Unsecured transmission of PHI

Unsecured transmission of PHI occurs when PHI is transmitted over unencrypted email, faxes, or messages without safeguards to protect the information. This can happen in a variety of ways, including:

• Sending unencrypted emails containing PHI: Emails that contain PHI should be encrypted to prevent unauthorized access. If the email is not encrypted, it can be intercepted by third parties, including hackers and other malicious actors.
• Sharing PHI through unsecured messaging apps: PHI should not be transmitted through unsecured messaging apps without encryption or other appropriate safeguards.
• Faxing PHI to the wrong recipient: If a fax intended for a healthcare provider is accidentally sent to a business or individual without a legitimate need for the information, it can be considered a HIPAA violation.

Read also: What are administrative, physical and technical safeguards? 

Ensuring authorized access to PHI

One of the requirements of HIPAA is to manage access to PHI and ensure that only authorized users can access, change, and distribute sensitive health data. To achieve this, the HIPAA security rule mandates the use of several technical safeguards:

• Unique user IDs: Each authorized user should have a unique user ID to log into the system. This allows organizations to track and monitor user activity effectively.
• Emergency access procedures: In case of emergencies, organizations should have procedures in place to grant immediate access to PHI. These procedures should be designed to minimize the risk of unauthorized access.
• Automatic logoff: To prevent unauthorized access when a user's workstation is unattended, automatic logoff should be implemented. This reduces the risk of PHI being accessed by unauthorized individuals.
• Messaging encryption: Any messaging systems used to transmit PHI should employ encryption to protect the confidentiality and integrity of the data. Encryption ensures that even if intercepted, the information remains unreadable.

See more: What is encryption?

Monitoring user activity

The HIPAA security rule requires organizations to have a system in place that logs user activity, including what was accessed, when it was accessed, and by whom. This helps identify any vulnerabilities or security incidents and allows for a timely response to mitigate potential risks.

To enforce user accountability and reduce the risk of unauthorized access, organizations should require authorized users to authenticate their identity using a username and personal identification number (PIN). This ensures that every action performed within the system can be traced back to the individual responsible.

Protecting the integrity of PHI

Maintaining the integrity of PHI is necessary to ensure that it is not altered or destroyed in an unauthorized manner. Whether it is being transmitted over email, efax, or text, organizations must implement policies and procedures to protect the integrity of PHI. 

Human error or system failures can also compromise the integrity of PHI, leading to potential breaches or data loss. To mitigate these risks, HIPAA requires technical safeguards to maintain the security of PHI at rest, in storage, and in transit.

Data encryption for secure transmission

When transmitting data beyond an organization's internal firewall, use encryption to minimize the risk of data breaches and unauthorized access to PHI. Encryption converts the data into a secure format that can only be deciphered with the appropriate decryption key.

Email, efax, and text messaging are commonly used methods for transmitting PHI. However, these channels rely on internet connections, making encryption a precautionary safeguard. Each organization should determine which secure platforms to use for transmitting information and establish reasonable safeguards accordingly.

A study titled Email security in clinical practice: ensuring patient confidentiality, states that “e-mailing or faxing unencrypted patient health information is really no more secure than sending that information on a postcard,” and that “those physicians who wish to send personal health information by email should use an encrypted or otherwise secure system.”

Related: What HIPAA says about email encryption

Caution regarding device usage

The use of personal devices for work purposes, commonly known as bring your own device (BYOD), poses risks to the security of PHI. Approximately 80% of healthcare professionals use personal devices for work-related tasks, increasing the potential for unauthorized access to PHI.

Organizations must establish safeguards and compliance regulations regarding device usage. Applications used for accessing PHI should have automatic logoff features to ensure compliance with HIPAA requirements. Additionally, unencrypted devices should never be used to transmit or store PHI, as they can easily fall into the wrong hands if lost or stolen.

How to avoid unsecured transmission of PHI 

According to a study on Protected Health Information, “There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification.”

Furthermore, to avoid unsecured transmission of PHI, covered entities like your healthcare practices should:

• Use secure email systems: HIPAA compliant email supports encryption and offers other appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI.
• Use secure messaging apps: If messaging apps are used to communicate PHI, they should be secure and meet the requirements of HIPAA. This includes encryption and authentication.
• Implementing secure faxing processes: Covered entities and business associates should implement secure faxing processes, such as ensuring that faxes are only sent to authorized recipients and using fax cover sheets that clearly identify the intended recipient and any confidentiality requirements.

Related: Can I send a HIPAA compliant fax?

Our recommendation: Paubox

Paubox’s HIPAA compliant email service delivers encryption on 100% of emails that go out—even if the recipient’s provider doesn’t support encryption. 

Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to decide which emails to encrypt, and your patients can conveniently receive your messages right in their inbox—no additional passwords or portals are necessary. 

Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop, and mobile device. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal. 

This greatly reduces the risk of accidentally sending PHI over email. Having staff decide whether to encrypt an email is a giant burden. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes, a user may not realize that certain information is also PHI.

Learn more: HIPAA Compliant Email: The Definitive Guide 

FAQs

Does HIPAA apply to transmitting PHI? 

Yes, HIPAA applies to the transmission of PHI, make sure to ensure that all transmissions comply with HIPAA regulations to maintain patient privacy and security.

Do I need consent to transmit PHI securely? 

Yes, obtaining consent is part of securely transmitting PHI. Patients must provide consent for the transmission of their PHI to ensure compliance with HIPAA and respect for their privacy.

What solutions can I use to transmit PHI safely? 

There are various solutions available for safely transmitting PHI, including encrypted email platforms, secure file-sharing services, and HIPAA compliant messaging applications. Oraganizations must choose a solution that meets HIPAA standards for the secure transmission of PHI.