The HIPAA Security Rule, “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must: ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit”
Protected health information (PHI) is subject to strict privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). A breach can lead to severe penalties like fines and being listed publicly on the Office for Civil Rights' "Wall of Shame." Unsecured transmission of PHI is one of the most common types of HIPAA breaches, but it is also easy to safeguard against with the right solutions.
Protected health information, commonly referred to as PHI, is a term governed by the HIPAA privacy rule. It encompasses any piece of health-related or personal information that can be used to identify an individual. PHI includes current health information and information related to an individual's past or future mental or physical health. The HIPAA privacy rule imposes strict requirements on the handling, transmission, storage, and disposal of PHI, granting patients the legal right to privacy and security of their information.
Read more: What is the HIPAA Privacy Rule?
Unsecured transmission of PHI occurs when PHI is transmitted over unencrypted email, faxes, or messages without safeguards to protect the information. This can happen in a variety of ways, including:
Read also: What are administrative, physical and technical safeguards?
One of the requirements of HIPAA is to manage access to PHI and ensure that only authorized users can access, change, and distribute sensitive health data. To achieve this, the HIPAA security rule mandates the use of several technical safeguards:
See more: What is encryption?
The HIPAA security rule requires organizations to have a system in place that logs user activity, including what was accessed, when it was accessed, and by whom. This helps identify any vulnerabilities or security incidents and allows for a timely response to mitigate potential risks.
To enforce user accountability and reduce the risk of unauthorized access, organizations should require authorized users to authenticate their identity using a username and personal identification number (PIN). This ensures that every action performed within the system can be traced back to the individual responsible.
Maintaining the integrity of PHI is necessary to ensure that it is not altered or destroyed in an unauthorized manner. Whether it is being transmitted over email, efax, or text, organizations must implement policies and procedures to protect the integrity of PHI.
Human error or system failures can also compromise the integrity of PHI, leading to potential breaches or data loss. To mitigate these risks, HIPAA requires technical safeguards to maintain the security of PHI at rest, in storage, and in transit.
When transmitting data beyond an organization's internal firewall, use encryption to minimize the risk of data breaches and unauthorized access to PHI. Encryption converts the data into a secure format that can only be deciphered with the appropriate decryption key.
Email, efax, and text messaging are commonly used methods for transmitting PHI. However, these channels rely on internet connections, making encryption a precautionary safeguard. Each organization should determine which secure platforms to use for transmitting information and establish reasonable safeguards accordingly.
A study titled Email security in clinical practice: ensuring patient confidentiality, states that “e-mailing or faxing unencrypted patient health information is really no more secure than sending that information on a postcard,” and that “those physicians who wish to send personal health information by email should use an encrypted or otherwise secure system.”
Related: What HIPAA says about email encryption
The use of personal devices for work purposes, commonly known as bring your own device (BYOD), poses risks to the security of PHI. Approximately 80% of healthcare professionals use personal devices for work-related tasks, increasing the potential for unauthorized access to PHI.
Organizations must establish safeguards and compliance regulations regarding device usage. Applications used for accessing PHI should have automatic logoff features to ensure compliance with HIPAA requirements. Additionally, unencrypted devices should never be used to transmit or store PHI, as they can easily fall into the wrong hands if lost or stolen.
According to a study on Protected Health Information, “There are many ways that healthcare providers can take precautions to ensure that protected health information remains properly protected, to enhance patient care, and preserve patient safety, particularly concerning electronic storage and transmission of PHI. Some standard procedures include data masking, encryption, and deidentification.”
Furthermore, to avoid unsecured transmission of PHI, covered entities like your healthcare practices should:
Related: Can I send a HIPAA compliant fax?
Paubox’s HIPAA compliant email service delivers encryption on 100% of emails that go out—even if the recipient’s provider doesn’t support encryption.
Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to decide which emails to encrypt, and your patients can conveniently receive your messages right in their inbox—no additional passwords or portals are necessary.
Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop, and mobile device. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal.
This greatly reduces the risk of accidentally sending PHI over email. Having staff decide whether to encrypt an email is a giant burden. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes, a user may not realize that certain information is also PHI.
Learn more: HIPAA Compliant Email: The Definitive Guide
Yes, HIPAA applies to the transmission of PHI, make sure to ensure that all transmissions comply with HIPAA regulations to maintain patient privacy and security.
Yes, obtaining consent is part of securely transmitting PHI. Patients must provide consent for the transmission of their PHI to ensure compliance with HIPAA and respect for their privacy.
There are various solutions available for safely transmitting PHI, including encrypted email platforms, secure file-sharing services, and HIPAA compliant messaging applications. Oraganizations must choose a solution that meets HIPAA standards for the secure transmission of PHI.