Email Encryption – Under HIPAA, PHI Must be Protected

The revamped Heath Insurance Portability and Accountability Act (HIPAA) makes it very clear — if you’re a health care organization and you don’t rigorously protect your patients’ personal health information, you will pay dearly.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), calls for protected health information (PHI) to be rendered unreadable and unusable.  Experts agree that encryption is a logical and easy way to protect information in transit, like email.

Tough new law has teeth

Under the new legislation, organizations can be fined up to $1.5 million dollars — up from $25,000 — for violating the rules protecting patients’ privacy.  Their business associates are also on the hook if they’re guilty of a data breach.  The penalties are no mere slap on the wrist — enforcement will be wide-sweeping and rigorous. State attorneys general have clear and explicit authority to enforce HIPAA’s rules.4

Every indication shows they’re ready to take HIPAA data breach violations seriously. Connecticut’s Attorney General, Richard Blumenthal, filed suit against Health Net for a data breach jeopardizing the PHI of 446,000 of its members. It’s the first case of a state attorney general enforcing general HIPAA regulations under HITECH.

Ignoring the law means high fines and bad P.R.

Email is a high-volume communications channel. Even a small percentage of unsecured PHI quickly mounts to a large risk. Unencrypted email containing sensitive data compromises patient privacy. Under HIPAA’s new rules, an organization will be held accountable, with repercussions to its reputation and its bottom line. The greater the volume of email, the higher the risk.

But is this message getting through? In a 2008 security survey8 for the Healthcare Information and Management Systems Society (HIMSS), sponsored by Booz Allen Hamilton, little more than half of those polled said they were encrypting email. In 2009, a follow-up study for HIMSS conducted by Symantec showed only a small increase in the number that bothered to encrypt data in motion—perplexing, given the enhanced enforcement and stiffer penalties meted out under the new HIPAA laws.

Not encrypting sensitive data in email is a license for trouble. If an organization is caught breaking the new rules, it will face heavy penalties from both a monetary and public relations perspective. “With the theft and loss of so much information, this is a situation in which there are potentially financial and other damages in the picture. This is a public relations issue, and so much has gone on that I don’t see how a provider could avoid penalties or a civil law claim,” said Jud DeLoss, Chair of the Health Information and Technology Practice Group of the American Health Lawyers Association in an interview with AIS Health.10

Quite simply, if health care organizations and their business partners, don’t encrypt email with PHI, they face huge fines, media scrutiny, and public and government censure.