DALLAS – Workplace policies and technical methods of securing protected health information (PHI) in aren't enough to secure e-mail communications. Training and ongoing risk assessment are also critical, according to an e-session presented at the 2005 Healthcare Information and Management Systems Society (HIMSS) meeting this week.
"Secure e-mail protects patient privacy," said Edward Smith, senior research engineer at e-mail security services provider Zix of Dallas.
The Health Insurance Portability and Accountability Act (HIPAA) requires "reasonable and appropriate safeguards" when sending PHI, but healthcare organizations are still in the early stages of securing PHI in e-mail, according to Smith.
E-mail comes with privacy risks, of course, as anybody can read or change it. Messages can be sent to the wrong person, read by employers, co-workers, or family, and intercepted by third parties, according to Smith.
Zix performed a study of healthcare-related e-mail traffic, collecting five million messages sampled from 50 healthcare organizations between April 2004 and October 2004. The sample represented inbound and outbound traffic for three to seven days for each organization. Messages were then scanned for content and classified.
The firm found that all organizations had unsecured PHI in their outbound e-mail, with an average exposure rate for unsecured PHI of 2% per organization. For a small-to-medium-sized healthcare organization that sends out approximately 5,000 messages per week, it would amount to 100 occurrences of unsecured PHI leaving the organization each week, according to Smith.
"E-mail is a high-volume channel," Smith wrote. "The more messages sent, the greater the exposure potential."
Most e-mails with PHI were not malicious, but consisted of payors and providers conducting business. Most were clerical in nature, such as discussing individual claims, correcting coding issues, clarifying dates of service, and troubleshooting EDI issues.
Care providers also communicate with each other on matters such as referrals, a diagnosis, or a shared patient, Smith said. Patients also communicate with their providers, and vice versa, asking questions, clarifying medications, managing disease, and scheduling appointments.
HIPAA's transmission security requirement most directly relates to e-mail, and users must guard against unauthorized access with integrity controls and encryption, Smith said. The requirement is mandatory.
"Organizations must assess the requirement, then implement the requirement, or document why not and implement the alternative," he wrote. "There is not an option to do nothing."
Since e-mail travels over public networks, users must encrypt PHI or block e-mail altogether. HIPAA requires technical safeguards, so administrative policies prohibiting sending PHI in e-mail are not enough, Smith said.
Privacy policies alone cannot protect PHI; policies supported with technical safeguards are more effective, he said. To improve policies, Smith suggests working with legal counsel, creating policies specifically for e-mail, and conducting a risk assessment.
He also advocates user-awareness training, and recommends that facilities support their policies with technical solutions. Effective technical solutions include content scanning and integration with existing network systems. Such solutions must meet HIPAA Security, Smith said. Rule requirements for data integration and encryption, and be able to handle send-to-anyone capabilities.
By Erik L. RidleyAuntMinnie.com staff writer
February 17, 2005
Related Reading
Survey shows IHE compliance reduces costs, February 16, 2005
Seven-step approach offers help for HIPAA integration, February 14, 2005
A practical approach to HIPAA security compliance, February 10, 2005
HIPAA security: IHE guidelines help ensure compliance, November 26, 2004
Copyright © 2005 AuntMinnie.com
