Category: Encryption

Rules For Sending And Receiving Protected Health Information (PHI)

HIPAA requires that covered entities (organizations who provide treatment to patients, bill insurance plans, or create protected health information (PHI)) must protect their PHI. This protection extends to sending and receiving PHI. Moreover, there are specific rules for how to send PHI to outside entities like other practices, insurance companies, and patients themselves.

First, lets define Protected Health Information.

  • Protected Health Information is medical information that contains any of the following uniquely identifying characteristics:
    • Names
    • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    • Phone numbers
    • Fax numbers
    • Email addresses
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Device identifiers and serial numbers
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) address numbers
    • Biometric identifiers, including finger and voice prints
    • Full face photographic images and any comparable images
    • Any other unique identifying number, characteristic, or code

That’s a pretty hefty list of uniquely identifying characteristics. Basically, if you can use a piece of information to single a person’s medical information out, all of the information becomes Protected Health Information

Sending PHI through email

The most common way to exchange information these days is via email. This will likely be the easiest way to get patient records over to other practices or to send a record to a patient who is requesting something. Consequently, it’s important to distinguish between standard email and encrypted email. Many practices assume that because their email system uses SSL or TLS encryption, it’s encrypted to HIPAA standards and they never give it another thought. Almost all email systems: Gmail, Hotmail, Yahoo, Godaddy, Microsoft Exchange, Outlook.com, AOL, etc. are encrypted with either SSL or TLS. This protects the information in the email being sent from being intercepted somewhere between the sender and the receiver. HIPAA says this is not enough.

HIPAA requires that when sending an email containing PHI, you accomplish 3 things:

  • Encrypt the PHI so that it can’t be intercepted by an unintended party.
  • Verify the identity of the receiving party before they can open the encrypted email attachment.
  • Have a way to revoke access to the encrypted attachment when it is no longer needed, or if it was sent in error.

To achieve all three of these goals, generally your practice will want to employ an email encryption service like Virtru or Hushmail. These services separate the file attachment (that you can use to send PHI) from the rest of the email so that PHI isn’t stored in non-secure ways. They make users on the receiving end of the email confirm their identity before allowing the file attachment to be viewed. And they allow the file attachment to be revoked at any time; either by setting an expiration date or by manually revoking access. Also, your practice will need  a Business Associate Agreement on file with any encryption service you decide to use. The encryption service has to prove they will be protecting your PHI while it is being transferred or stored on their systems.

Using a standard email account without a secure encrypted file attachment to send PHI is a violation of the HIPAA security and privacy rules. There is nothing to stop an unintended recipient from opening a sensitive attachment and there is no way to revoke access to the PHI after the email is sent.

As with all communications involving PHI, you should be logging any time you send or receive PHI. A patient has the right to know who you sent their PHI to. Your practice software likely has a place for you to log these PHI disclosures.

Sending PHI through the mail

When sending PHI through the mail, you must use certified mail or a similar service that requires a signature from the recipient. This is to ensure that any PHI makes it to its destination. If you don’t have a record of when the PHI was both sent and received, you can’t be sure who has the PHI if you were audited. And if a patient wanted a complete list of all entities that has access to their PHI, you couldn’t give them an accurate list without proper record keeping. With certified mail, you will have access to a signature of the person who received the letter and a date and time when they received it.

Using standard mail is not allowed because of the lack of tracking inherent to standard mail.

Face to face and phone conversations

Face to face conversations and phone calls are both common ways practices disclose PHI. All PHI disclosures should be tracked. Accordingly, you must keep a log if you gave out PHI via conversation or phone call. Again, the patient has a right to know who has access to their PHI. If you communicated PHI to another doctor for instance and now that doctor is aware of your patients medical information, your patient has the right to know that.

Faxing PHI

Faxing is considered a gray area as far as HIPAA is concerned. HIPAA recognizes that fax machines are sometimes the only way for one practice to quickly send information to another entity. Conversely, HIPAA is aware that fax technology is inherently insecure. Faxes can be intercepted via phone tap and generally fax machines just print out any fax that comes through and leaves it sitting in its tray for all to see. These problems are hard to overcome for most practices, nonetheless you can make some headway in securing your fax to eliminate many chances of a breach occurring.

The HIPAA security rule says that fax machines should be kept behind a locked door. This way non-employees cannot easily access any faxes that may have printed out, but not been picked up yet. And if your fax machine supports it, faxes should be stored in the fax machine’s memory until an authorized user signs in to the fax machine and prints them out.

I expect that as secure encrypted email becomes more prevalent, the HIPAA security rule will be updated to remove faxing from the list of approved methods to send PHI.

You should get in the practice now of avoiding faxes that contain PHI and only use this method as a last resort.

The Importance of Encryption for HIPAA Compliance

Encryption. . .what does it mean to encrypt something? Why is it important? And why is it particularly important for covered entities and business associates in the health services industry? What can you do to make sure your data is encrypted while it is being transferred from one place to another and while it is at rest on servers and backup drives? These are all questions I am asked regularly when I do initial HIPAA risk assessments and audits. My clients tend to downplay the importance of encryption initially until they fully understand the risks of not encrypting data properly.

Encryption is defined as the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. If you were to send a file across the internet in a non-encrypted format, it could be intercepted anywhere along the way and you would have no idea that your data had been breached. Additionally, if you were to store data on a storage device in a non-encrypted format, and that device was lost or stolen, your data would be accessible to anyone. Using encryption nullifies both of those scenarios by only allowing someone with your secret encryption key to decrypt the data and read it.

For the purposes of HIPAA compliance, encryption is absolutely necessary for one particular category of data: protected health information (PHI). This includes patient medical records, personal patient information like phone numbers, addresses, and social security numbers. Encryption of PHI is important for a few reasons. First, and foremost, you have a duty to your patients to keep their personal information safe from unauthorized access. One quick way to lose patients and your practice is to betray patient trust. Additionally, as a covered entity or business associate you are bound by federal law to protect PHI from breach or loss. The Office of Civil Rights has the authority to fine you up to $50,000 per record breached or lost if they deem that you haven’t implemented and followed a good faith HIPAA compliance plan.

email encryptionWhat is a practice to do? How can you be sure your PHI is encrypted? There are three places you’ll want to double check for encryption. During our HIPAA audits we most commonly find that practices aren’t employing encryption when emailing patient health records to other practices or to the patients themselves. This is a fairly easy problem to fix. There are a multitude of available email encryption services such as Virtru, Office 365 Encrypted Email, and Hushmail. These services generally integrate directly into your browser or Microsoft Outlook so that it’s as easy as pressing a button to convert any email into an encrypted email that requires the user at the other end to verify their identity to receive the email.

It is more complicated to find out if the other two categories have HIPAA compliant encryption enabled. These two areas are data stored on devices like servers, desktops, laptops, and mobile phones. And separately, data stored on backup devices and backed up to the cloud. You will want to contact a HIPAA compliant IT specialist to verify that your devices and backup storage is HIPAA compliant. An IT specialist can tell you what level of encryption you are using and whether the encryption is turned on and configured properly. Additionally, in the case of a cloud backup service, the IT specialist can make sure that the cloud provider is HIPAA compliant themselves and is willing to sign a Business Associate Agreement (BAA) for your practice and share some of the liability for storing that sensitive data.

J.J. Micro IT Consulting is available for a free HIPAA risk assessment. During that assessment we will look for proper encryption methods in addition to possible HIPAA compliance issues in the categories of security, privacy, and administrative procedures. Please give us a call at 636-556-0009 to schedule an appointment today.