Misdelivered Email Results in a HIPAA Data Breach

A common scenario in email security breaches is seen when a billing service sends a bill to an incorrect email address. In most practice arrangements, a third-party billing company will have signed a business associate agreement. According to HIPAA, business associates must inform covered entities when they discover a security breach; however, HHS gives covered entities and business associates flexibility in defining, in the business associate agreements, how and when a business associate should notify the covered entity of a potential breach.¹ Consider the following case. (Please note that the following case focuses on the clinic’s responsibility to analyze the risk and perform the breach notification, even though the breach was caused by a business entity.)

HIPAA Breach Analysis Flowchart

The following flowchart outlines how a privacy or security incident is analyzed to determine whether a HIPAA breach has occurred. It forms the basis of the analysis in the case presented here.

In addition to federal HIPAA regulations, covered entities may also have to comply with state data breach laws. State laws vary on what triggers a breach notification obligation and the nature of breach notification obligations. This case study focuses on federal data breach notification laws. The Health Information & the Law website has an interactive map that provides links to state health data security and breach notification laws.

Case File

A family practice group had a business associate agreement with a billing company. An employee in the billing company sent an email with an attachment that contained patient information for 70 patients to an incorrect email address. Public records indicated the email address was active, but attempts to contact the individual associated with the email address were unsuccessful.

HIPAA Breach Analysis

Q. Was PHI involved?

A. Yes.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?

A. No. The PHI was not secured.

Q. Does one of the three HIPAA disclosure exceptions apply?

A. No. Although the transmission of the PHI to the incorrect email address was inadvertent, the PHI was sent to an individual who was not associated with the group or its business associates who could have accessed the PHI.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)

1. Type of PHI: The information in the email was sensitive and included numerous patient identifiers. In the wrong hands, there was a high possibility the PHI could be used in a manner adverse to the patients or could be used to further the unauthorized recipient’s own interests.
2. Who took it/received it: The data exposure was inadvertent, but whether the PHI would be further disseminated was unknown because the owner of the email address did not respond to inquiries.
3. Ease of access: The PHI was not encrypted and could be easily accessed.
4. Mitigation: There was nothing the practice could do to mitigate the potential misuse of the PHI.

A. The attorney who reviewed this case found that based on the risk assessment the clinic could not demonstrate a low probability that the PHI was compromised; therefore, a breach occurred. The practice was required to comply with the HIPAA breach notification requirements. Patient notification had to be accomplished within 60 days. However, because the breach involved fewer than 500 patients the group was advised it could maintain a log or other documentation of any other data breaches occurring in that year, and submit all of the breach notifications together not later than 60 days after the end of the calendar year.

Medical Liability Risk Management Recommendations

In the foregoing case, the breach was caused by a business associate, but it just as easily could have been caused by an in-house billing department. The HIPAA Security Rule does not prohibit the inclusion of PHI in email, but the HIPAA standards for access control, integrity and transmission security require covered entities and their business associates to have policies and procedures in place that protect the security of PHI in email. If email is not encrypted, HIPAA requires a risk assessment of how the integrity of the PHI will be protected. Consider the following recommendations:²

• Consider using the encrypted messaging capabilities in your EHR (if available) to send PHI instead of using general email applications such as Outlook.
• Encrypt email.
• Put a disclaimer on email to mitigate a security breach if PHI is sent to an unintended recipient. For example:
  
  This email message and any attachment(s) transmitted with it are intended only for the use of the recipient(s) named above. This message may contain privileged and confidential information, including patient information protected by federal and state privacy laws. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this message in error, please notify the sender immediately by reply email and delete the original message.
  
  
• Employ interactive software (e.g., a pop-up box) that prevents or warns senders when they’re emailing PHI. Remind senders to double check the email address.
• Give patients the option of receiving unencrypted email only after they had been advised of and consented to the risk of data breach.
  • The HHS article “Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?” answers questions about email communication with patients.
• Include email security requirements in business associate contracts.

More Information About Preventing HIPAA Data Breaches

• Overview: Preventing HIPAA Data Breaches: Case Studies and Best Practices
• Best Practices: Mobile Device Policies for Preventing HIPAA Data Breaches
• Best Practices: Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers
• Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops
• Closed Claim Case Study: Employee Voyeurism Leads to a HIPAA Data Breach
• Closed Claim Case Study: Unsecured PHI on a Lost Flash Drive Results in a HIPAA Data Breach

Additional Resources for Policyholders

Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.

Information and Network Security Coverage

Call NORCAL Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.

References

1. Federal Register Volume 78, Number 17 (Friday, January 25, 2013), Page 5656. (accessed 5/14/2018)

2. SCRYPT Corporation. “Email to provider revealed as the reason for recent Atlanta data breach.” August 18, 2015. (accessed 5/14/2018)

Additional Linked Sources

Health Info & the Law Project. “States.” (accessed 5/14/2018)

U.S. Department of Health and Human Services, Office for Civil Rights (OCR). “Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?” December 15, 20008. (accessed 5/14/2018)