HIPAA Email and Data Privacy for Medical Practices
Secure your data, emails, and attachments. Choose who can view them and revoke access at any time.
A Large Portion of the Dental Community
Many dental professionals have one of the following email configurations:
YAHOO, Gmail, AOL, MSN, etc... Example: smiledental_EXAMPLE@yahoo.com
Personal email account. Example: drEXAMPLE@yahoo.com
Hosted email account Example: drEXAMPLE@mydomain.com (Not public however not correctly secured)
If you fall into the first two categories you have a Public Email Account that is non-compliant, if you have a Private Account but aren't secure you may be non-compliant or even in violation of the HIPAA act.
Are you in violation of HIPAA?
If you email appointments, test results, case-related information, or other treatment information to patients using any of the non-HIPAA Compliant email services (see above). Then the answer is yes you are.
If you are sending Patient Health Information (PHI) using free email services like Gmail, Yahoo, Hotmail, or AOL you are in violation. Even if you are using services like AT&T, Verizon, GoDaddy, or 1&1 the answer is yes.
Most email providers have Non-Compliant Privacy Policies and Zero Email Security Policies, meaning your email can be intercepted. In short, this means that you can be fined up to $1.5 million during an audit!
If your practice is a covered entity under HIPAA, emailing a patient or emailing patient information involves both the HIPAA Privacy and Security rules. The content of the email, including the patient’s email address, constitutes protected health information (PHI).
What are the Financial Implications of HIPAA Violations?
Individual unaware of violation
Violation per reasonable cause, not willful neglect
Violation due to neglect, but corrected within allowed timeframe
Violation due to neglect, left uncorrected
Up to $50,000 per violation, up to $1.5 million total per year
Up to $50,000 per violation, up to $1.5 million total per year
Up to $50,000 per violation, up to $1.5 million total per year
$50,000 per violation, up to $1.5 million total per year
What are some of the issues with Traditional Free Email Services?
Other than the Non-HIPAA Compliance, details include:
Data can be accessed and scanned by other Email users and your contacts should have no reasonable expectation that their correspondences will not be scanned for the purpose of targeted advertising.
Information and Data are not safe, secure, and always available.
Having @yahoo or @aol..etc. after your name is old fashion and very unprofessional. As you know image and branding is important for an unsure new patient.
When something is free, you are the product! Even if you may not be aware of this when signing up for a free email account you signed and adhered with the email provider's terms and agreement. In which you most likely gave them the right to access or scan your email.
In some cases, the email account is bundled for free with your website hosting. Example: GoDaddy email.
Space restrictions are incredibly small so you will lose your emails down the line or be forced to create a new account.
Some of these email configurations do not work seamlessly with mobile phones or tablets.
Microsoft Outlook or Outlook Express has the major issue of having everything tied to a single computer. All your data on one computer that can and will crash. We don't have to tell you that loss of data can be devastating for your business.
List of Non-HIPAA Compliant Email Services
Gmail.com (Standard @gmail.com Service)
What does HIPAA Compliance with Google mean?
Ensuring that our customers' data is safe, secure, and always available to them is one of our top priorities. To demonstrate our compliance with security standards in the industry, Google has sought and received security certifications such as ISO 27001 certification and SOC 2 and SOC 3 Type II audits. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), Google Apps can also support HIPAA compliance.
Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.
Administrators for Google Apps for Work, Education, Government, and Google Apps Unlimited domains can request a BAAbefore using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Apps Vault services.
Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.
We have published our Google Apps HIPAA Implementation Guide to help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with Google Apps.
What if your business currently uses a Gmail, Yahoo, or other generic Email Service?
We help can fix that problem! Hitec-Med would love to help you get rid of your generic Gmail, Yahoo, or AOL email address and get a HIPAA compliant real, professional email address. For example:
When one of your potential patient's sees your email address is a generic free web-based email address, their first thoughts very well may be:
This is a small office with outdated technology
This office doesn’t plan to stick around long
Practitioner or the dentist don’t know how to use technology effectively
My email to the doctor may not be secure and can probably be hacked and accessed more easily
We can help you set up your own professional email addresses (or multiple addresses or users in your practice). If you do not have a domain name, we can register an optimized domain or get one based on your name or practice!
If you do not have a website, we can develop one for you and link your email to it
If you already have your own domain name and website for your practice, we can transfer your email to the new HIPAA certified system
Most practices have domain (website) names, but for some reason, they don’t all go all the way and use their website name for email. We make it quite simple to add email capabilities to your existing domain (website) name.
March 1 HIPAA Deadline for Dentists Approaching
Dentists have until March 1 to report a HIPAA-compliance issue to the U.S. Department of Health and Human Services Office for Civil Rights (HHS).
Specifically, HIPAA-covered practices must report any breach of their electronic patient information that may have affected fewer than 500 people by that date. Breaches that may have affected more than 500 people have more strict timelines as practices only get a 60-day window to report the incident.
According to the HHS, "A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free-text portion of the submission."
The HHS website allows dentists to report an incident electronically and has instructions for submitting it.
The breach notification rule was approved in 2009 as part of a larger set of HIPAA amendments known as the Health Information Technology for Economic and Clinical Health Act (HITECH). Congress passed HIPAA in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be meant to protect the confidentiality of that information.
Secure electronic transmission of protected health information is one of the many requirements of the HIPAA Security Rule. Dental practices should review the rule requirements to ensure compliance. A major component of compliance is a documented risk analysis. HIPAA Security Rule: A Summary can be found on cda.org. HHS has on its site a Guidance on Risk Analysis.
For more information, visit cda.org/privacy-hipaa.
Yahoo, Google, and Apple also claim the right to read user emails!
Like Microsoft, other webmail giants all reserve the right to read user emails, if 'deemed necessary'
Microsoft is not unique in claiming the right to read users' emails – Apple, Yahoo, and Google all reserve that right as well, the Guardian has determined.
The broad rights email providers claim for themselves has come to light following Microsoft's admission that it read a journalist's Hotmail account in an attempt to track down the source of an internal leak. But most webmail services claim the right to read users' email if they believe that such access is necessary to protect their property.
Microsoft's own terms of service allow the company to access content "when Microsoft forms a good faith belief that doing so is necessary [to] protect them… property of Microsoft". It made use of that right to read the email of an unnamed journalist who had allegedly taken possession of the source code to Windows 8 thanks to an internal leak at the firm.
Yahoo, Google, and Apple too
But other major email providers reserve exactly the same rights. Yahoo requires users to "acknowledge, consent and agree that Yahoo may access… your account information and Content… in a good faith belief that such access… is reasonably necessary to… protect the rights… of Yahoo."
Google's terms require the user to "acknowledge and agree that Google may access… your account information and any Content associated with that account… in a good faith belief that such access… is reasonably necessary to… protect against imminent harm to the… property… of Google". Apple "may, without liability to you, access… your Account information and Content… if we have a good faith belief that such access… is reasonably necessary to… protect them… property… of Apple".
Of the major webmail providers, only Microsoft was prepared to share the internal procedures they have in place governing who can access users' email without a court order and what reasons they must give to do so. Yahoo declined to comment. Neither Apple nor Google had responded to requests for comment ahead of publication.
"The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not," says Charlie Howe, director, EMEA at Skyhigh Networks, a cloud security software firm, of Microsoft's snooping.
"For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services."
So on that happy note, let’s dive in!
#1: Advocate Medical Group
People Affected: 4,029,530
Date of Breach: 7/15/2013
In the 2nd largest data breach ever reported through the HHS database, four laptops containing more than 4 million patient records were stolen. Advocate Medical Group did not notify affected patients until more than a month after the theft and stated the laptops were password protected. However, this did little to assuage fears, as device passwords are easily overcome. The lost data included social security numbers, which places the patients at higher risk of identity theft.
The total number of affected individuals is eclipsed only by a 2011 incident in which 4.9 million medical records were compromised when backup tapes were reportedly stolen from an employee’s car. A class action lawsuit for the 2011 event seeks $4.9 billion ($1,000 for each person affected).
#2: AHMC Healthcare
People Affected: 729,000
Date of Breach: 10/12/2013
In October thieves accessed a sixth-floor, video-monitored office to steal two laptops, which contained Medicare patient data from six AHMC hospitals in California. The theft occurred on a Saturday and was not detected until Monday. The compromised patient data included names, diagnoses, and insurance information. About 70,000 also had their Social Security numbers compromised.
AHMC stated they had recently completed a 3rd party security risk assessment but had not yet taken the step of encrypting all employee laptops.
#3: Texas Health Harris Methodist Hospital Fort Worth
People Affected: 277,014
Date of Breach: 5/11/2013
Example Microfiche sheet via Wikimedia
In a bizarre incident, sheets of microfiche containing patient records from the ‘80s and ‘90s were found in several Fort Worth public areas. Upon investigation, Texas Health Fort Worth found that their vendor Shred-it had failed to destroy the microfiche as contracted. The extent of the lost microfiche is unknown but is expected to include Social Security numbers and other private data.
#4: Indiana Family and Social Services Administration
People Affected: 187,533
Date of Breach: 04/06/2013-05/21/2013
A computer programming error by a business associate wreaked havoc on Indiana FSSA’s client mailers. The programming glitch caused extra pages from client notifications to be mixed into mailings to other clients, compromising medical and financial information for up to 187,533 clients, and Social Security numbers for almost 4,000 of them.
#5: Cogent Healthcare, Inc.
People Affected: 32,151
Date of Breach: 05/05/2013-06/24/2013
Patient medical treatment history was compromised when a Cogent Healthcare business associate stored the data on a non-secure site, opening up public access to the records for more than a month. The business associate, a transcription company, left a firewall open, making the supposedly private website housing the records accessible to the human users and web crawlers. Some records were subsequently indexed by Google.
#6: Orthopedics and Adult Reconstructive Surgery
People Affected: 22,000
Date of Breach: 03/01/2013 – 03/13/2013
While few details have been disclosed about this breach, it appears that patient data was compromised when a business associate lost a portable device. Ironically, it appears that the records may have been lost in the process of transferring them to a different storage platform to better comply with regulations.
#7: Raleigh Orthopaedic Clinic
People Affected: 17,300
Date of Breach: 1/15/2013
Delta Dental of Pennsylvania in another bizarre incident, a contractor hired to transfer x-rays to electronic format instead sold the x-ray films to be scrapped for their silver. The network of clinics has determined they were victims of a scam. Unfortunately, the final state of the x-rays is unknown, but is believed to have been destroyed.
In another mailing mishap, a Delta Dental of Pennsylvania letter to an employer containing a listing of employee names and SSNs arrived opened, with several pages missing.
#8: Lucile Packard Children’s Hospital
People Affected: 12,900
Date of Breach: 5/8/2013
In this data breach at a Stanford University hospital, an older, out-of-use laptop was stolen from an access-controlled office. The stolen laptop, which was damaged and scheduled to be taken out of circulation, was not encrypted, leaving an unknown amount of pediatric patient data at risk.
#9: United HomeCare Services, Inc.
People Affected: 12,299
Date of Breach: 1/8/2013
In another case of encryption coming too late, a United HomeCare laptop scheduled to be encrypted was stolen from an employee’s vehicle, compromising the health records and personal information of patients and family members. Like the many other HIPAA violations due to stolen laptops, the theft appeared to have been random, and not a “targeted attempt to steal information.”
The Top Two Ways to Stay Off This List
While the number of impacted individuals will likely grow as additional violations are uncovered, so far 2013 included more than 140 separate HIPAA violations that involved more than 500 people. In all, more than 5.7 million individuals were reported to have been affected.
When you dig into the full list of the violations some clear patterns appear. Around 30% of the violations were due to theft or loss of an unencrypted laptop or portable device. And, almost 20% were due to a business partner.
For HIPAA-covered institutions, the two best recommendations I have for keeping yourself off this list during 2014 are:
Encrypt any devices that touch patient data. This takes a concerted effort and investment, but as you can see from half of the top ten breaches, electronic devices get stolen, and password protection is never enough.
Choose business associates who value data security and HIPAA compliance as much as you do.
Secure HIPAA compliant email and data encryption have become a must-have tool for dental practices. In addition to HIPAA and Omnibus Rule compliance, it also delivers unexpected features and benefits in helping dental practices improve patient experiences, increase employee productivity and reduce business expenses.