Email has truly become our central production form of communication, both internally and externally. We rely on the ease and rapidity of messaging, and our ability to readily attach documents, pictures or other relevant information. And we are increasingly going mobile (read that as “real time”) with our email connectivity. A recent comScore study revealed that Americans are increasingly using their mobile phones and tablets to access email on the run.
As a result, the information we find useful to have in email is increasing. And services like GMail have made it easy to integrated email, calendaring and contacts all available from web browsers, mobile devices and our home computers – all for a very reasonable price indeed! But hang on here… when we use our “personal” email in such a fashion, what have we really given to these third party providers? Are we really secure? Are we even compliant?
Think carefully if you are a physician. Mail sent to GMail is kept on their servers and made available via various protocols. Very convenient to be sure, but in their possession nonetheless. While most would not think much about this – healthcare providers, or rather, HIPAA “Covered Entities” and “Business Associates” of any kind do in fact need to think about this. The legal responsibility to maintain the integrity, availability and confidentiality of PHI is real. And the HITECH Act of 2009 made violations of these protections onerous to say the least.
Healthcare IT News’ recent report on Geisinger Health System’s disclosure is a clear illustration of the downside of not being attentive to these protections. In this incident, a Geisinger gastroenterologist e-mailed PHI from a medical center computer to his “home email account” in an unencrypted manner. The intent was to use the information to complete an analysis of his procedures. However, the very act of sending this information unencrypted and storing it unencrypted resulted in Gesinger Wyoming Valley Medical Center having to notify 2,928 patients that some of their protected health information (PHI) was disclosed in an unauthorized manner.
While there is no information as to any fines or other legal repercussion, what were the costs to the medical center to make such notifications? And perhaps even more importantly, what was the impact on their reputation in the market with the very public breach of patient data? Note that there was no evidence that the information had actually been seen by anyone other than the physician – but yet, it is still a violation under the security rules and a notification that much be made under the breach notification rules. This is certainly not something a practice would wish to endure.
So what can you do if you are a practice and want or need to work from another location on your information? There are solutions that work. Solutions that include the requirement to maintain data encryption (both at rest and in transit) and solutions which do not require the data to leave the practice at all (think remote access solutions). In either case – clear documentation of the process, the encryption, and the user rights need to be in place to be compliant. But a good rule of thumb is – no PHI should ever leave the walls of the practice (and I mean that electronically as well) without being encrypted, and an audit trail in place to track who is handling the information.