A recent survey of 600 workers across the U.S. found that 87% of health care employees have used non-secure email to transmit sensitive data and information.
The HIPAA Security Rule requires anyone who is transmitting protected health information (PHI) over an open network to first encrypt the information. Open networks include email, text messages, faxes and the internet in general. Since transmitting unencrypted PHI is a reportable breach, the Office of Civil Rights (OCR) can impose strict penalties on offending organizations.
Do you know if your employees are transmitting unencrypted PHI? Chances are, your health care organization is vulnerable to this risk. However, there are things you can do to reduce risk and help avoid not just a fine but also a major security incident such as a data breach.
How to Encrypt Data
Your employees can’t encrypt PHI if you don’t provide the tools to do so. There are third-party solutions you can leverage in different ways. For example, ShareFile integrates with Microsoft Outlook to provide a ShareFile button option that employees can click on to encrypt an email’s contents. Other vendors require the sender to add “Secure” to the subject line, which tells the software to encrypt that email.
Another solution is an email encryption gateway, which secures all email leaving the network according to configurable encryption rules, eliminating the need for client software and further user intervention. Take a look at all the options available and decide which solution best fits your organization.
The Human Factor
There’s no way to look over your employees’ shoulders and make sure every email, text message and fax they send is encrypted. For one, not every email contains PHI or other sensitive data. For another, people determined to get around controls will find a way to do so.
But the main reason employees send PHI over open networks is not because they’re malicious or want to commit a crime. It’s because they’re simply not aware of their responsibilities. They don’t know when they need to encrypt something, and they often don’t know how to encrypt it.
Health care organizations can address these knowledge gaps through training. Ongoing awareness training should be structured to help employees understand what types of information need to be encrypted and what types do not. It should also go over non-compliance consequences for both the organization (e.g., fines) and the individual employee involved (e.g., termination), and it should review what the organization’s encryption option is and how employees can use it.
When a human factor is involved, education is key to compliance.
The Responsibility of Health Care
Did you know health care employees are 36% more likely to share data such as patient and payment information using non-secure email than those working in the finance industry?1 The health care industry as a whole lags behind other industries when it comes to information security, and large health care data breaches over the past two years have highlighted weak spots.
Ask yourself: Does your health care organization have on staff a dedicated and experienced security and/or privacy officer who manages your cybersecurity and privacy policies? How often do you perform risk assessments to determine what and where your vulnerabilities are? Are your employees continually educated on their own responsibilities in protecting patient data and other sensitive information?
Answering these questions is crucial to helping ensure you can protect both your patients and your organization. If you come up short, there’s a lot you can do to mitigate risks — and that’s where a firm like Wipfli can help. Our Risk Advisory Services (RAS) Health Care team can help you assess your security risks and implement a customized risk management program for your organization. Contact us to learn more.
 “Most Healthcare Workers Admit to Non-Secure Healthcare Data Sharing,” Fred Donovan, HealthITSecurity.com, May 21, 2018, https://healthitsecurity.com/news/most-healthcare-workers-admit-to-non-secure-healthcare-data-sharing, accessed June 14, 2018
 “Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?” HHS, July 26, 2013, https://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html, accessed June 14, 2018