4 min read
The value of HIPAA compliant email for incident reporting
Kirsten Peremore
Feb 21, 2025 10:27:17 AM

A BMJ Nursing study on the awareness of reporting barriers notes, “Adequate incident reporting practices for clinical incident among nurses and even all healthcare providers in clinical practice settings is crucial to enhance patient safety and improve the quality of care delivery.”
After discovering a data breach, a secure source of communication like HIPAA compliant email can become an invaluable resource for the extensive compliance and recovery processes that follow. When using trustworthy HIPAA compliant email platforms like Paubox, the security comes with the assurance that the systems will not be intercepted by threat actors leading to further exploitation.
The breach obligations for healthcare organizations
HIPAA breach notification obligations are triggered when unsecured protected health information (PHI) is disclosed. According to to a U.S. Pharmacist article, “The breach notification regulations were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA) signed on February 17, 2009, the so-called federal stimulus bill.” A use of PHI considered to be impermissible or not allowed is presumed to be a breach unless the covered entity can show that there is a low probability that the PHI has been compromised, using a four factor risk assessment.
The assessment considers the nature and extent of the PHI that was actually acquired or viewed, and whether any PHI was actually acquired. If a low probability cannot be proven notifications must be provided without unreasonable delay and no later than 60 calender days. If the breach involves unsecured PHI and affects more than 500 individuals in a state or jurisdiction, the covered entity has to notify a prominent media outlet serving that area.
Otherwise for breaches affecting less than 500 individuals, covered entities only have to maintain a log and notify the HHS annually. As a result of the Omnibus Rule these requirements for breach notification extend to business associates.
Why email is the best way to report a breach
According to a 2022 study published on Elsevier on cyber breach report, “Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds.” Email is an effective way to share information under the right circumstances.
HIPAA compliant email platforms protect PHI by providing better data security, access controls, and encryption than any other communication method. Its use also comes with the convenience of familiarity, which allows staff to prioritize breach protocols without additional steps.
This reduces the risk of further unauthorized access during breach reporting, a time when sensitive details are being shared. It also demonstrates a commitment to protecting client's data privacy and security.
What happens when a breach is email-related?
The following statistics from a BMJ Health Care Informatics study on phishing as a threat to healthcare organizations notes, “During the 1-month testing period, the organisation received 858 200 email messages: 139 400 (16.2%) were classed as marketing by spam detection systems in place and 18 871 (2.2%) identified as potential threats.” When a data breach involves email, such as phishing or compromised email accounts, it becomes challenging to rely on the same medium to communicate breach notifications without risking further data exposure or loss of trust.
Healthcare staff are often targeted with phishing emails designed to harvest credentials or deliver malicious payloads, which can lead to breaches of confidential data. Because phishing attacks exploit email infrastructure, using email to notify about such breaches must consider the risk that compromised email accounts or systems may be unreliable or insecure channels for communication.
Unintentional insider threats often arise from employees inadvertently mishandling emails or falling victim to phishing schemes. Therefore, internal communication about breaches via email must be handled with heightened scrutiny to prevent worsening the breach or enabling further attacks.
How to protect emails against cyber attacks
HIPAA-compliant email platforms like Paubox provide a baseline by ensuring that email communication in healthcare environments meets regulatory requirements for privacy and security. Unlike conventional email services that lack built-in protections, HIPAA-compliant systems inherently reduce the risk of data interception or leakage by offering encrypted channels that are designed to thwart unauthorized disclosure even if intercepted by malicious actors. This technical protection is necessary, especially given healthcare data’s high value and attractiveness to cybercriminals.
Technological safeguards alone, however, cannot fully defend against all phishing attempts or cyberattacks since many threats exploit human factors through social engineering, manipulating users into disclosing credentials or unknowingly triggering malware installation. Despite sophisticated email security systems, the ‘weakest link’ in cybersecurity is often human behavior, including limited awareness, poor phishing recognition, and risky behaviors like clicking on suspicious links or sharing personal information on social media. The above-mentioned BMJ study provides a detailed internal phishing simulation in NHS healthcare organizations, revealing that a portion of email and internet traffic (about 2%–3%) comprised potentially malicious content targeting hospital staff.
FAQs
What information must be included in a breach notification?
The notice should include specific details, though the search results do not specify the exact information.
What is the "low probability of compromise" exception?
An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised. Physicians must evaluate the severity of improper use or disclosure of PHI by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold using a 4-factor test.
What is the significance of the 60-day timeframe?
HIPAA breach notifications must be sent within 60 days from the date of breach discovery. For breaches impacting more than 500 individuals, the notification to the HHS is also 60 days from discovery. For breaches impacting fewer than 500 individuals, notification to the HHS can be made within 60 days of the end of the calendar year in which the breach occurred.
Are there any differences with state breach notification laws?
Yes. Many U.S. states have their own breach notification laws that may be stricter than HIPAA requirements, including shorter notification deadlines and additional reporting obligations such as notifying state attorneys general.
Does the rule cover all types of breaches?
The rule covers breaches from unauthorized access, improper disclosure, ransomware attacks, and employee-related incidents. However, it excludes breaches involving encrypted data where the encryption key has not been compromised, or certain good-faith, limited-scope employee access that does not result in further disclosure.