Under the HIPAA breach notification requirements, over 40 breaches involving emails have been reported to U.S. Department of Health and Human Services (HHS) as affecting more than 500 individuals.
The following lessons can be learned from these incidents:
- Only send the minimum information necessary
- Limit patient identifiers when practicable
- Consider encryption or a secure email messaging system if one is available. If encryption is not available, consider alternate means of communicating protected health information (PHI)
- Avoid sending patient health information (PHI) to a personal email account/home computer
- When communicating with patients, use the email address specifically provided by the patient for that purpose
- Double check that an e-mail address has not been incorrectly typed or auto-filled
- Avoid disclosing PHI in the subject line of the email (encryption methods may not encrypt the subject line)
- Blind carbon copy recipients, rather than listing them on the “To” line when communicating with multiple individuals
- Check recipients’ email addresses and attachments before sending, particularly before sending numerous files to numerous recipients
- Avoid auto-forwards of email accounts, especially to external destinations
- Change passwords to email accounts regularly and do not keep passwords written down near
- or on the computer/device.
- Include a notice of confidentiality in emails that instructs recipients about the steps to take if they are not the intended recipient, such as notifying the sender and deleting the email and all copies
- Develop a written policy regarding email transmissions and train your workforce
HIPAA Tips: Lessons Learned from Email Breach Incidents
Under the HIPAA breach notification requirements, over 40 breaches involving emails have been reported to U.S. Department of Health and Human Services (HHS) as affecting more than 500 individuals.
The following lessons can be learned from these incidents: