Risks of HIPAA Compliance Failures with Email
There are many ways that the HIPAA Rules can be violated via email, from simple errors involving protected health information being emailed to incorrect individuals to email security failures that allow hackers to obtain email credentials and gain access to huge amounts of sensitive patient data. Email is relied upon by HIPAA-covered entities but there is considerable potential for HIPAA violations with email. Some of the most common email risks that can result in HIPAA violations are discussed below.
Using an Email Vendor That is Not HIPAA-Compliant
If ePHI is sent via email, then the email service provider is classed as a business associate and must enter into a business associate agreement (BAA) with a HIPAA-regulated entity. It is not possible to obtain a BAA for a free email service such as Google (Gmail), Yahoo, Hotmail, or AOL. Using a free email service is a HIPAA violation not only due to the lack of a BAA but also because these email services do not generally have sufficiently robust security. Even when HIPAA-compliant email services are used, the email service may not be fully HIPAA-compliant in the default settings. For example, emails may not be protected by full encryption, which can result in the exposure or impermissible disclosure of ePHI. Click the link to find out more about how to make your email HIPAA-compliant.
Failure to Implement Policies and Procedures for Email
One of the biggest risks of HIPAA violations comes from insufficient or non-existent policies and procedures for email. Even with a fully compliant email service in place, there is considerable potential for errors by employees that can result in the exposure or impermissible disclosure of ePHI. Policies must be developed and implemented on email use, communicating with patients via email, and how and when ePHI may be shared via email. Staff must receive training in the handling and transmission of ePHI and be made aware of their responsibilities under HIPAA.
Failure to Implement Adequate Access Controls
Many data breaches are reported to OCR involving compromised email accounts, often the result of phishing, social engineering, stolen passwords, and brute force attacks. Email accounts are targeted by cybercriminals as they often contain valuable data, and a compromised account can provide the access required for a much more extensive compromise. The HIPAA Security Rule requires safeguards to be implemented to prevent unauthorized access to ePHI and the HIPAA Privacy Rule has standards for authentication. While password security is barely mentioned in the HIPAA Rules and multi-factor authentication is not mentioned at all, a regulated entity’s risk analysis should highlight the importance of these authentication measures. Suitable authentication controls include implementing and enforcing password policies to prevent employees from setting weak, easily guessed passwords and multi-factor authentication to prevent compromised credentials from granting access to accounts.
Failure to Implement Technical Safeguards Against Phishing and Malware
Email is one of the most common initial access vectors. Email credentials can provide a foothold in a network, and compromised accounts can be used for distributing phishing emails, malware, and business email compromise attacks. The HIPAA Security Rule requires technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI, which includes protecting against phishing and malware. A risk analysis should be conducted that should highlight email security risks and appropriate technical controls should be implemented to reduce those risks to an acceptable and low level. Technical safeguards that should be considered include spam filters, anti-phishing solutions, data loss prevention solutions, email archiving solutions, antivirus software, and other endpoint security solutions.
Misdirected Emails
In OCR’s 2023 report to Congress on the Breach Notification Program, OCR explained that most of the data breaches and privacy violations reported by HIPAA-regulated entities involve small breaches of ePHI – fewer than 500 records. In 2022, there were 63,966 reports of small breaches, 6% of which (3,731 incidents) involved email. As was the case in previous years, many of these breaches were due to misdirected communications such as emails sent to incorrect recipients or the wrong data attached to emails.
In 2023, human error was the leading cause of healthcare data breaches according to Verizon’s 2024 Data Breach Investigations Report (DBIR), with the most common error being the misdelivery of paper records and emails. In addition to HIPAA violations involving misdirected emails, there is a risk of accidental ePHI disclosure when attaching files to emails. Attaching an incorrect file can result in the impermissible disclosure of patient data.
In January, Littleton Regional Healthcare discovered that a file containing the ePHI of more than 12,600 individuals had been sent to someone not authorized to receive the data. A similar breach occurred at BayCare’s Winter Haven Hospital when an employee accidentally attached a cardiac rehabilitation department file to an email that was sent to patients, a breach at CareOregon resulted in the impermissible disclosure of the ePHI of more than 10,000 individuals, and a breach at First Care Health Plans involved the impermissible disclosure of the ePHI of more than 8,000 plan members.
Failure to Notify Patients About Email Risks
The HIPAA Privacy Rule allows healthcare providers to communicate with patients electronically, including via email, provided reasonable safeguards are applied when doing so. Since there is the potential for unintended disclosures of ePHI, training must be provided to employees on the importance of carefully checking email addresses.
Email encryption is not mandatory for HIPAA compliance for email when communicating with patients via email; however, safeguards are required such as limiting the amount of data disclosed via email to the minimum necessary information and emails must be compliant with 45 C.F.R. Part 164, Subpart C of the HIPAA Security Rule. Patients must also be advised of the risks associated with sending unencrypted ePHI via email, to allow the patient to make an informed decision about whether they want to receive ePHI via email.
Failure to Encrypt Emails
If ePHI is communicated via email with other covered entities or business associates, the communications must comply with the standards of the HIPAA Security Rule. These include access control (164.312(a)), integrity (164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)), with the latter including addressable specifications for encryption.
Since there is a risk of interception of emails in transit, encryption is required when sending ePHI externally. BJC HealthCare had email encryption in place but discovered the protocols had not been followed for 3 years, highlighting the benefit of an automated email encryption solution to reduce the potential for human error. Cummins Behavioral Health Systems had email encryption, however, the software failed due to a server outage resulting in ePHI being sent in plain text emails.
Emailing Sensitive Data to Personal Email Accounts
This year, the Texas Health and Human Services Commission discovered that an employee had been emailing spreadsheets containing patient data to a personal email account for more than a month, exposing the data of almost 3,400 patients. Rutgers Robert Wood Johnson Medical School discovered that a former employee had emailed patient data to their personal email account, and Village of Oak Park Health Plan, Texas Children’s Health Plan, and Orlando VA Medical Center also experienced similar breaches. The greatest risk is greatest when employees are terminated or otherwise leave employment as they may be tempted to take patient lists to a new employer. Data loss prevention solutions can scan emails and automatically block attempts to send ePHI to personal email accounts.
Email Address Exposure
The exposure of email addresses is one of the least serious types of data breaches, but there is still potential for harm. When sending emails to mailing lists, the addition of email addresses to the CC rather than BCC field makes the email addresses viewable to all recipients of the email. These incidents typically only expose limited ePHI, such as email addresses and revealing individuals as current patients of a facility; however, it may also be possible to infer medical conditions from inclusion in the email. Recent incidents include email address exposure at One Medical, Henrico Doctors’ Hospital, and Ascension Eastwood Clinic, each of which affected around 1,000 patients.
Failure to Comply with Patient Requests Not to Receive Email Communications
The HIPAA Omnibus Rule strengthened patient rights and gave them the right to opt out of having their protected health information used for certain purposes, such as fundraising and marketing purposes. Failure to deal with these requests could result in patient rights being violated and the transmission of unwanted emails. In 2010, the HHS Office for Civil Rights entered into a resolution agreement with Management Services Organization Washington Inc., over the disclosure of ePHI to a subsidiary for marketing purposes.
Reducing Email Compliance Risks
The causes of these HIPAA violations are quite diverse, but these violations are relatively easy to prevent. Email risks should be identified by a risk analysis and should be addressed through risk management practices. Email security can be improved with spam filters, email encryption, multifactor authentication, and data loss prevention tools. Administrative safeguards include password policies, procedures for email, and regular staff HIPAA compliance and security awareness training.
