Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

Share this article on:

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed after it was discovered that protocols for sending sensitive information securely had not been followed.

No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers, dates of birth, visit dates, nursing notes, medication and vaccination information could potentially have been intercepted and viewed by unauthorized individuals.

BJC HealthCare has established protocols for communicating sensitive information, although in January it was discovered that those protocols had not been used for communicating personally identifiable information of Raising St. Louis participants to program partners for a period of three years between January 17, 2014 and January 9, 2017. The correct protocol for emailing sensitive data has now been adopted and staff members have been re-educated and instructed to only send sensitive data via encrypted email.

An internal investigation did not uncover any evidence to suggest that emails had been intercepted or viewed by unauthorized individuals, although the possibility could not be ruled out.

HIPAA and Email Encryption

The HIPAA Security Rule does not prohibit the sending of ePHI via email, although any data sent via an open network must be appropriately secured and controls implemented to prevent unauthorized access (See 45 CFR § 164.312(e)).

Prior to ePHI being communicated via email, a covered entity must assess the available security controls that can be applied to safeguard the confidentiality, integrity, and availability of ePHI. An appropriate solution should be applied and the decision process behind the use of that solution should be documented.

HIPAA does not specify which protection must be used, although access controls for data in motion should comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On