The value of HIPAA compliant email for incident reporting

After the discovery of a data breach, a secure source of communication like HIPAA compliant email can become an invaluable resource for the extensive compliance and recovery processes that follow. When making use of trustworthy HIPAA compliant email platforms like Paubox, the security comes with the assurance that the systems will not be intercepted by threat actors leading to further exploitation.

The breach obligations for healthcare organizations 

HIPAA breach notification obligations are triggered when unsecured protected health information (PHI). According to to a U.S. Pharmacist article, “The breach notification regulations were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) signed on February 17, 2009—the so-called federal stimulus bill.” A use of PHI considered to be impermissible or not allowed is presumed to be a breach unless the covered entity can show that there is a low probability that the PHI has been compromised, using a four factor risk assessment. 

The assessment considers the nature and extent of the PHI was actually acquired or viewed and whether any PHI was actually acquired. If a low probability cannot be proven, notifications must be provided without unreasonable delay and no later than 60 calendar days after the incident. If the breach involves unsecured PHI and affects more than 500 individuals in a state or jurisdiction, the covered entity has to notify a prominent media outlet serving that area. 

Otherwise for breaches affecting less than 500 individuals, covered entities only have to maintain a log and notify the HHS annually. As a result of the Omnibus Rule these requirements for breach notification extend to business associates. 

Why email is the best way to report a breach

HIPAA compliant email platforms protect PHI by providing better data security, access controls, and encryption than any other communication method. Its use also comes with the convenience of familiarity which allows for staff to easily prioritize breach protocols without additional steps. This reduces the risk of further unauthorized access during breach reporting, a time when sensitive details are being shared. It also demonstrates a commitment to protecting client's data privacy and security.

How to ensure HIPAA compliance

1. If using a third-party email service provider, establish a business associate agreement (BAA) that outlines their responsibilities and specifies the administrative, physical, and technical safeguards they will use to ensure the confidentiality, integrity, and availability of PHI. Without a BAA, you are not HIPAA compliant.
2. Develop and implement internal policies for HIPAA-compliant email usage to ensure all employees understand their responsibilities regarding handling and transmitting PHI electronically. An email archiving and retention system may be needed to respond to individual's access and disclosure requests within the required timeframe.
3. Train staff on secure email best practices and these policies and procedures. Ongoing compliance may require IT resources and continuous monitoring to ensure authorized users communicate PHI in adherence with HIPAA email policies.
4. Before sending PHI to a patient or plan member via email, obtain their explicit written consent. The consent document should note that consent includes electronic notifications. 
5. Implement an incident response plan to effectively manage and mitigate the stress of security incidents, including data breaches. In case of a HIPAA violation via email, immediately stop the spread and report it internally.
6. Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and, in some circumstances, to the media. Notifications must be provided without unreasonable delay and no case later than 60 days following the discovery of a Breach.

FAQs

What information must be included in a breach notification? 

The notice should include specific details, though the search results do not specify the exact information.

What is the "low probability of compromise" exception? 

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised. Physicians must evaluate the severity of improper use or disclosure of PHI by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold using a 4-factor test.

What is the significance of the 60-day timeframe? 

HIPAA breach notifications must be sent within 60 days from the date of breach discovery. For breaches impacting more than 500 individuals, the notification to the HHS is also 60 days from discovery. For breaches impacting fewer than 500 individuals, notification to the HHS can be made within 60 days of the end of the calendar year in which the breach occurred.