HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed after it was discovered that protocols for sending sensitive information securely had not been followed.

No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers, dates of birth, visit dates, nursing notes, medication and vaccination information could potentially have been intercepted and viewed by unauthorized individuals.

BJC HealthCare has established protocols for communicating sensitive information, although in January it was discovered that those protocols had not been used for communicating personally identifiable information of Raising St. Louis participants to program partners for a period of three years between January 17, 2014 and January 9, 2017. The correct protocol for emailing sensitive data has now been adopted and staff members have been re-educated and instructed to only send sensitive data via encrypted email.

An internal investigation did not uncover any evidence to suggest that emails had been intercepted or viewed by unauthorized individuals, although the possibility could not be ruled out.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

HIPAA and Email Encryption

The HIPAA Security Rule does not prohibit the sending of ePHI via email, although any data sent via an open network must be appropriately secured and controls implemented to prevent unauthorized access (See 45 CFR § 164.312(e)).

Prior to ePHI being communicated via email, a covered entity must assess the available security controls that can be applied to safeguard the confidentiality, integrity, and availability of ePHI. An appropriate solution should be applied and the decision process behind the use of that solution should be documented.

HIPAA does not specify which protection must be used, although access controls for data in motion should comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.