It bothered me because I was asked to email the completed forms back to the dental practice at a free web based email address. Sending highly confidential personal information like social security numbers, complete health history, financial information, insurance information through free web based emails, like gmail, hotmail, or yahoo mail, without encryption is equivalent to sending the information on a postcard via regular mail. Anyone can read it if they want to. It is just not secure. Even though the healthcare provider had an excellent reputation, this lack of email security gave me a cause of concern about the level of data security at the practice. It raised questions like:
- Why is the healthcare practice using free email like hotmail, gmail or yahoo mail when asking for protected health information( PHI)? Are they not aware that these email methods are not secure?
- Is the practice not aware of the HIPAA security rule that mandates the integrity and security of electronic PHI at all times?
- Does the practice have well documented policies and procedures to handle patient data?
- Why is the practice not using email security services that provide encryption and identity authentication to ensure that no unauthorized person can access protected health data in transit?
- What measures has the practice adopted to ensure the security and integrity of my personal data?
Transmission Security is the final standard listed in the Technical Safeguards section of the HIPAA security rule. The HIPAA Security Series document addressing the technical safeguards states that the transmission security standard requires a covered entity to : Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
1. Integrity controls – the covered entity must ensure that the electronically transmitted ePHI is not modified without detection until it is disposed.
2. Encryption- the covered entity must implement a mechanism to encrypt ePHI whenever deemed appropriate.
The covered entity is expected to take appropriate and reasonable measures to meet the Transmission Security standard. The CE must conduct a risk analysis of their electronic transmission methods and determine that they taken adequate measures to protect ePHI in transit and that the security and integrity of the ePHI is never compromised at any time. Email security, and secure text messaging technologies are now affordable for small businesses. Investing in them will help dental practices, physician practices and other CEs develop and implement effective communication channels between them and their patients, and improve the quality of patient care and experience.