Healthcare Data Privacy

Cybersecurity Best Practices for Travelling Healthcare Professionals

Posted by HIPAA Journal

In its December cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) offered cybersecurity best practices for travelling healthcare professionals to help them prevent malware infections and the exposure of patients’ protected health information (PHI).

Many healthcare professionals will be travelling to see their families over the holidays and will be taking work-issued devices with them on their travels, which increases the risk to the confidentiality, integrity, and availability of PHI.

Using work-issued laptops, tablets, and mobile phones in the office or at home offers some protection from cyberattacks and malware infections. Using the devices to connect to the Internet at cafes, coffee shops, hotels, and other Wi-Fi access points increases the risk of a malware infection or man-in-the-middle attack. Even charging portable devices via public USB charging points at hotels and airports can see malware transferred.

Not only will malware and cyberattacks potentially result in data on the device being exposed, login credentials can be stolen leading to a substantial data breach, or malware can be transferred to your organization’s network when you return to work.

Ensure Travel is Covered in Your Risk Analysis

HIPAA-covered entities and business associates must conduct a risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI. The risk analysis must include the risks when healthcare professionals travel, be it on holiday or for business trips. Vulnerabilities and risks identified by the risk assessment must then be managed and reduced to an acceptable and appropriate level through a HIPAA-compliant risk management process.

OCR’s Suggested Cybersecurity Best Practices for Travelling Healthcare Professionals

The following cybersecurity best practices for travelling healthcare professionals are particularly relevant during the holiday season, but apply whenever work-issued devices are removed from the protection of a secured network.

Healthcare organizations that permit healthcare employees to remove work-issued devices should incorporate these cybersecurity best practices into their training programs and ensure all healthcare employees are made aware of the additional risks when travelling and how they can manage those risks.

Leave Portable Devices at the Office or at Home

If you don’t really need to take a work-issued device with you, leave it at home or at the office and make sure it is secured.

Ensure Devices are Fully Patched

All portable devices should be kept patched and up to date, although this becomes even more important when travelling and connecting to public Wi-Fi hotspots. Software, mobile apps, and operating systems should be updated to the latest versions.

Secure the Devices Using Strong Passwords

All devices should be secured with strong passwords. OCR suggests passwords should be more than 10 characters and should include numbers, letters (upper and lower case) and symbols. Passphrases can be used as they are difficult to guess but easy to remember. Multi-factor authentication should also be used if possible.

Activate Additional Security Controls

Activate additional security controls such as fingerprint readers on mobile phones to prevent data and account access in the event of loss or theft. This can buy you more time to secure accounts and change passwords if your device is stolen.

Encrypt all Sensitive Data on Your Devices

OCR suggests laptop computers should have full disk encryption to ensure data cannot be accessed in the event of loss or theft, and to remove data from portable devices if it is not required.

Create Multiple Backups of Files

It is essential that data can be recovered in the event of loss or theft of a portable device or a ransomware attack. Multiple backups should ideally be created on another device with a copy also stored securely in the cloud.

Bring Portable Chargers, Power Cords and Adaptors

Connecting to public charging points in airports and hotels can easily introduce malware. Avoid USB charging points, and charge devices using a portable charging pack or by plugging into the mains supply. If charging ports must be used, only connect after devices have been powered down.

Avoid Public Wi-Fi Hotspots

Avoid all public Wi-Fi networks as they are unlikely to be secure. If you do need to connect to Wi-Fi when travelling, always connect to the Internet via a VPN.

Turn Off Auto Connect for Bluetooth and Wi-Fi

Ensure your portable devices do not automatically connect to Wi-Fi networks and turn off Bluetooth connectivity.

Use Different PIN Numbers

Always use a unique PIN number for each of your devices. Never reuse a PIN anywhere else, such as on the hotel safe.

Never Leave Devices Unprotected

If you cannot lock a portable electronic device in a safe, take it with you. Any possible hiding spot in a hotel room will be checked by thieves. Devices should only ever be taken in hand luggage, never packed in a case that is put in the hold.

Use Geo-Location with Care

While geolocation services have their uses, they can also alert thieves that you are not at home. Consider turning off these services on social media networks when you are away, and avoid posting photos taken on your travels until you return home.

The post Cybersecurity Best Practices for Travelling Healthcare Professionals appeared first on HIPAA Journal.

Is Facebook Messenger HIPAA Compliant?

Posted by HIPAA Journal

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules?

Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI.

In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit.

There must be access and authentication controls to ensure only authorized individuals can access the program. Facebook Messenger could be accessed by unauthorized individuals if a phone was stolen, so it would be necessary for the device to have additional security controls to ensure apps such as Facebook Messenger could not be accessed in the event of loss or theft. Facebook Messenger users don’t have to login each time to view messages on the app.

HIPAA-covered entities must ensure there is an audit trail. Any PHI sent through a chat messaging platform would need to be retained and hardware, software or procedural mechanisms would be required to ensure any activity involving PHI could be examined. It would be difficult to maintain an audit trail on Facebook Messenger and there are also no controls to prevent messages from being deleted by users.

Is a Business Associate Agreement Required?

The HIPAA Conduit Exception allows HIPAA-covered entities to send information via certain services without the need for a business associate agreement. For example, it is not necessary to enter into a BAA with an Internet Service Provider (ISP) or the U.S. Postal Service. Those entities only act as conduits.

However, cloud service providers are not covered by that exception. HHS points this out on its website, saying “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”

Facebook would therefore need to sign a BAA with a HIPAA-covered entity before Facebook Messenger could be used to communicate PHI, and at the time of writing, Facebook is not prepared to sign a BAA for its Messenger service.

How About Workplace by Facebook?

Workplace by Facebook is a messaging service that can be used by businesses to communicate internally. Is Workplace by Facebook HIPAA compliant? The Workplace Enterprise Agreement states under its prohibited data section, “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Without a BAA, and without appropriate audit and access controls, we do not believe Facebook Messenger is HIPAA compliant. If you want to use a chat program for communicating PHI, we suggest you use a HIPAA-compliant messaging service that has been developed specifically for the healthcare industry. TigerText for example. These secure healthcare text messaging solutions incorporate all the necessary controls to ensure PHI can be sent securely, and include access controls, audit controls, and full end-to-end encryption.

The post Is Facebook Messenger HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Compliant Email Providers

Posted by HIPAA Journal

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI.

There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop.

All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).

Provided that an email service provider incorporates all of those controls, the service can be considered HIPAA-compliant. However, it is also necessary for an email service provider to enter into a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be used.

HIPAA-covered entities should bear in mind that HIPAA-compliant email is not the responsibility of the service provider. The service provider must only ensure appropriate safeguards are incorporated. It is the responsibility of the covered entity to ensure the solution is configured correctly, that staff are trained on the use of email and are made aware of the allowable uses and disclosures of PHI.

An email service alone will not satisfy all HIPAA requirements for email. Staff should also receive training on security awareness and be made aware of the threats that can arrive in inboxes. Technologies should also be implemented to reduce the risk of email-based attacks such as phishing. Some email service providers, but not all, scan inbound messages and block spam, malware and phishing emails.

Is Encryption for Email Mandatory?

That is a question asked by many healthcare organizations. While HIPAA compliant email providers encrypt all emails in transit, encryption is not mandatory. The HIPAA Security Rule only requires organizations to assess the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if an alternative and equivalent control is used in its place.

One such control is the use of a secure email server located behind a firewall. In such cases, provided a risk assessment has been conducted and the reasons for not encrypting emails has been documented, encryption would not be required on all internal emails. Encryption would also not be necessary when sending emails to patients who have authorized a covered entity to communicate with them via email.

However, since most healthcare organizations need to submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the protection of the firewall. In such cases, encryption is necessary.

There are considerable risks sending sensitive information via email. Email is not a secure way of sending data. Emails must be created on one machine, be sent to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four different machines, and messages can easily be intercepted in transit.

The Department of Health and Human Services has already issued fines to covered entities that have used email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.

List of HIPAA Compliant Email Providers

Our list of HIPAA compliant email providers has been compiled to save you time in your search for a suitable email service provider. The list of HIPAA compliant email providers is not exhaustive. There are many other service providers that offer email services for healthcare organizations that meet the requirements of HIPAA. However, the list below is a good starting point.

All of the following providers offer a HIPAA-compliant email service and are willing to sign a business associate agreement.

  • Hushmail for Healthcare
  • VM Racks
  • NeoCertified
  • Paubox
  • Virtru
  • Atlantic
  • LuxSci
  • Apsida Mail
  • Protected Trust
  • MaxMD
  • EmailPros
  • MD OfficeMail
  • Delivery Trust from Identillect Technologies

The post HIPAA Compliant Email Providers appeared first on HIPAA Journal.

Protenus Releases November Healthcare Data Breach Report

Posted by HIPAA Journal

Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches.

November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October.

November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell.

While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch of salt. Healthcare organizations have a maximum of 60 days to report breaches, so the figures do not indicate there has been a reduction in incidents. Also, figures have only been obtained for 25 of the 28 breaches. As Kira Caban, Director of Public Relations at Protenus, notes, “The number of both data breach incidents and affected patient records are lower than any other month thus far in 2017, but it may also just indicate that people wanted to get ready for Thanksgiving, so they delayed reporting.”

In November, insider breaches outnumbered hacking incidents with nine incidents (32%) due to insiders with eight incidents attributed to hacking (28%). 25% of breaches involved the loss or theft or records or devices containing ePHI. Seven of the breaches involved paper records.

The November healthcare data breach report shows hacking incidents resulted in the highest number of exposed records by a nose -36,804 records. Insider incidents resulted in the exposure of 36,447 records: 27,228 due to insider error and 9,219 due to insider wrongdoing. 5,324 records were exposed due to the theft or loss of physical records or devices containing unencrypted ePHI.

As is typical, healthcare providers reported the most breaches (82.1%), followed by health plans (10.7%). Three incidents (3.6%) are known to have involved business associates of HIPAA-covered entities.

It is difficult to make a determination whether healthcare organizations managed to discover breaches more quickly, as figures were only available for four incidents. The average time to detect a breach was 55 days, with a median of 33 days. One breach took 153 days to discover.

Data are better for the time to report breaches. The median time to report the incidents to HHS was 57 days, with an average time of 61 days. The figures show healthcare organizations are still waiting until the last minute to report breaches. It should be noted that while HIPAA allows up to 60 days to report data breaches, incidents should be reported without unnecessary delay, and well within that 60-day window.  At least three covered entities have risked a financial penalty for delayed breach notifications, with one taking 134 days to report the breach.

While California is usually the state with the most reported breaches, that unenviable accolade was taken by Kentucky in November, with three reported breaches. Healthcare organizations based in Massachusetts, Texas, Colorado, Indiana, Florida, and California each reported two breaches.

The post Protenus Releases November Healthcare Data Breach Report appeared first on HIPAA Journal.

1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street

Posted by HIPAA Journal

MidMichigan Medical Center (MMC) in Alpena has alerted patients to a potential breach of their health information, which may have literally fallen into the hands of individuals unauthorized to view the information.

On the evening of November 18, a MMC cardiologist removed patient files from the Alpena cardiology office without authorization. The files were transported to the cardiologist’s vehicle in a storage container, but the container had not been properly secured.

Close to a parking lot near 12th Avenue/Chisholm Street, the container was dropped, spilling the contents on the ground. The documents were caught by the wind and started blowing round the street.

Some of the documents were picked up by members of the public, who informed the hospital that documents containing sensitive patient information was blowing around the street. The hospital contacted law enforcement to provide assistance collecting the paperwork.

Dr. Richard Bates, vice president of medical affairs at MMC issued a statement saying all of the paperwork is believed to have been retrieved, so the risk to patients is thought to be low. However, since it cannot be confirmed that every document has been recovered, patients have been notified of the potential breach of their PHI.

The reasons why the cardiologist, Dr. Christopher Walls, removed the records from the office is not known. However, removing documents containing patient information is a violation of hospital policies, and as a result of that violation, Dr. Walls is no longer employed at MMC.

Approximately 1,900 patients have been notified of the potential breach, which may have included names along with addresses, Social Security numbers, and clinical data. As a precautionary measure, affected patients have been offered complimentary identity theft protection services.

“We take matters related to the security of our patients’ personal information very seriously because it is our responsibility to protect their privacy. We have rigorous processes and procedures in place to detect breaches and to protect patients’ rights,” said Bates.

The post 1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street appeared first on HIPAA Journal.

Two Healthcare Providers Announce Incidents Involving the Improper Disposal of Patient Data

Posted by HIPAA Journal

Two healthcare providers have announced they have experienced incidents involving the improper disposal of protected health information; one involving paper records and the other a hard drive containing electronic health information.

NYU Langone Health System discovered a binder containing a log of presurgical insurance authorizations was accidentally recycled by a cleaning company in October. The binder contained records relating to around 2,000 patients.

Information in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID numbers. In some cases, brief notes may have been present, along with insurance approvals/denials and inpatient/outpatient status. No Social Security numbers were recorded in the paperwork, and neither any financial information.

As required by HIPAA, NYU Langone Health System had implemented a policy that requires all PHI to be disposed of securely when it is no longer required, typically by shredding documents. Since the binder was taken for recycling by accident, that did not occur.

Since insurance ID numbers were present in the logs, NYU Langone Health System has offered all affected patients complimentary identity theft protection services and cyber monitoring services through ID Experts for one year.

To prevent similar incidents from occurring in the future, staff have been reeducated on the importance of safeguarding patient information and practice workflow has been updated to improve the protections for sensitive patient information. No reports have been received to suggest any information has been used inappropriately.

The second incident was reported by the Pequannock, NJ Chilton Medical Center (CMC). In this case, patient records, including names, addresses, medical record numbers, dates of birth, details of allergies and medications received at CMC were stored on a hard drive that was discovered to have been removed by an employee and sold on the Internet.

The sale of the hard drive was not authorized by CMC and was in breach of the medical center’s policies. The incident has been reported as a theft and the Morris County Prosecutor’s Office has been notified. According to the breach notice placed on the medical center’s website, the employee no longer works at CMC.

Upon discovery of the incident, an internal investigation was launched, and it became apparent that this was not the first time that computer hardware and assets had been removed by the former employee and sold online. Those additional devices and assets are not believed to have contained any patient information, although the investigation is ongoing.

Patients impacted by the incident had visited CMC for medical services between May 1, 2008 and October 15, 2017. All patients impacted were notified of the security incident on December 15, 2017. CMC said additional processes and controls have been put in place to prevent incidents such as this from occurring in the future.

The incident has yet to appear on the breach portal of the Department of Health and Human’ Services Office for Civil Rights, it is currently unclear exactly how many patients have been affected.

The post Two Healthcare Providers Announce Incidents Involving the Improper Disposal of Patient Data appeared first on HIPAA Journal.

OCR Launches New Tools to Help Address the Opioid Crisis

Posted by HIPAA Journal

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act.

Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible.

OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis.

OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials have been developed specifically for parents of children suffering from a mental health condition.

OCR is also collaborating with partner agencies within the HHS to identify and develop further programs and training materials covering the permitted uses and disclosures of PHI when patients seek, or undergo, treatment for mental health disorders or substance abuse disorder.

“HHS is using every tool at its disposal to help communities devastated by opioids including educating families and doctors on how they can share information to help save the lives of loved ones,” said OCR Director, Roger Severino.

The Information Related to Mental and Behavioral Health can be accessed on the links below:

Webpage for consumers

Webpage for healthcare professionals and caregivers

Guidance on HIPAA and Research

OCR has also released updated guidance on HIPAA and research, as required by the 21st Century Cures Act. The new guidance explains how the HIPAA Privacy Rule applies to research, including when protected health information can be shared without first obtaining authorization from patients.

OCR explains that HIPAA-covered entities are always permitted to disclose PHI for research purposes if it has been de-identified in accordance with 45 CFR 164.502(d), and 164.514(a)-(c).

If PHI is not de-identified, authorization from patients is required unless the covered entity has obtained Documented Institutional Review Board (IRB) or Privacy Board Approval. In the guidance, OCR explains the criteria that must be satisfied to receive such approval.

The guidance can be viewed here.

OCR has also formed a working group that includes representatives of several federal agencies, patients, researchers, healthcare providers, privacy, security and technology experts. The working group will study uses and disclosures of PHI for research and the group will report on whether those uses and disclosures should be modified to facilitate research while ensuring individuals’ privacy rights are protected.

The post OCR Launches New Tools to Help Address the Opioid Crisis appeared first on HIPAA Journal.

AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan

Posted by HIPAA Journal

The American Health Management Association (AHIMA) has published guidance to help healthcare organizations develop a comprehensive and effective cybersecurity plan.

In the guidance, AHIMA explains that healthcare organizations must develop, implement and maintain an organization-wide framework for managing information through its entire lifecycle, from its creation to its safe and secure disposal – Termed information governance (IG).

As the Protenus/Databreaches.net monthly healthcare data breach reports show, healthcare data breaches are now occurring at a rate of more than one a day. With the threat of attack greater than ever before, it is essential that healthcare organizations develop an IG program.

Kathy Downing, Vice President, Information Governance, Informatics, Privacy and Security at AHIMA, explains that IG is now critical in an environment where cyberattacks are being experienced by healthcare organizations every day.

Downing cites the June 2017 report from the Healthcare Industry Cybersecurity Taskforce (HCIC), which states “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical and nonclinical leaders.” HCIC explained, “Governance of information shifts the focus from technology to people, processes, and the policies that generate, use, and manage the data and information required for care.”

To help healthcare organizations, develop, implement, and maintain an effective IG program, AHIMA has developed its step by step guide, which includes 17 actions healthcare organizations can take to complete a cybersecurity plan.

The AHIMA IG Adoption Model™ addresses people, processes, and technology and has been based on ten competency areas, including privacy and security, enterprise information management, IT and data governance, legal and regulatory requirement, and security awareness and adherence.

By developing and maintaining a cybersecurity plan, healthcare organizations can improve their defenses against cyberattacks and prevent costly data breaches.

The 17 steps to develop a complete cybersecurity plan are:

  1. Conduct a comprehensive, organization-wide risk analysis of all applications and systems
  2. Recognize health record retention as a cybersecurity issue
  3. Patch all vulnerable systems and keep software/operating systems up to date
  4. Deploy advanced endpoint detection systems in addition to standard antivirus/antimalware tools
  5. Encrypt data on workstations, smartphones, tables and portable media
  6. Improve access management and identity controls
  7. Use web filters to block bad traffic
  8. Implement mobile device management
  9. Develop an incident response plan
  10. Monitor audit logs for signs of possible attacks
  11. Implement intrusion detection systems
  12. Evaluate business associates
  13. Use a third-party firm to conduct penetration tests
  14. Improve anti-phishing controls and conduct phishing simulation exercises
  15. Prepare a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity
  16. Adopt and ally a ‘Defense in Depth’ strategy
  17. Detect and prevent intrusions

Developing and implementing a cybersecurity plan is only the start. The threat landscape is constantly changing, and healthcare organizations’ IT infrastructures, hardware and software frequently change. It is therefore important to revisit and revise the cybersecurity plan, as appropriate, at least every quarter to ensure it remains comprehensive and effective.

The AHIMA guidance is available for download here.

The post AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan appeared first on HIPAA Journal.

Is Hotmail HIPAA Compliant?

Posted by HIPAA Journal

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI.

Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same.

HIPAA, Email and Encryption

There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security controls in place – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).

All email accounts are secured with a password, but not all email accounts securely send messages. If messages are not encrypted in transit, they could easily be intercepted and read by unauthorized individuals.

In order to be HIPAA-compliant, email messages should be encrypted in transit if they are sent outside the protection of an organization’s firewall. Encryption is not required if messages are sent internally and the messages are sent via a secure internal email server that sits behind a firewall.

Is Hotmail HIPAA Compliant?

Since Hotmail is a webmail service, it lies outside the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to incorporate security controls to prevent messages from being intercepted. Hotmail uses HTTPS, so any information transferred between the browser and the Hotmail site is encrypted, and messages are also secured in transit.

However, while Microsoft says it does not scan the content of messages and will not sell that information to third-parties such as advertisers, Microsoft does have access to messages. Further, in order for an email service such as Hotmail to be HIPAA compliant, it would be necessary to first obtain a HIPAA-compliant business associate agreement with the email service provider.

Microsoft does offer business associate agreements for Office 365, but Office 365 does not include Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.

Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement, Hotmail email accounts should not be used. The same applies to Gmail accounts and most other free consumer email services.

Can You Send PHI to a Patient’s Hotmail Account?

If your email system is secure and HIPAA-compliant, is it possible to send PHI to patients if they have a Hotmail account?

HIPAA does permit healthcare organizations to send PHI to patients via email, regardless of the email service provider the patient uses. However, it is not permitted to send emails to patients without first obtaining their consent to do so. When obtaining consent, you should communicate to patients that the sending of PHI via email is not secure and that their information could potentially be intercepted and viewed by individuals who are unauthorized to view that information.

If patients are informed of the risks, and confirm that they accept those risks, PHI can be sent via email, even if they have a Hotmail or Outlook.com email account. Covered entities should document that consent has been obtained and patients have opted in to receive information via email, including how you authenticated their identity.

The post Is Hotmail HIPAA Compliant? appeared first on HIPAA Journal.