Many providers transmit their patients’ Protected Health Information (“PHI”) in unsecured e-mails. Through audits, some providers have discovered that their employees routinely included patient PHI in both the subject line and body of e-mails sent internally and externally. In doing so, these providers could be exposed to HIPAA violations if employees send e-mails containing PHI to the wrong external address, if they erroneously send e-mails to the internal address of a person who should not have access to the information, or if the provider’s firewall is insufficient to guarantee protection of the PHI. Providers would be well advised to instruct their employees never to use PHI in the subject line of e-mails, to limit PHI to the extent possible in the body of e-mails, and to insure that e-mails containing patient PHI are sent using an encrypted system, preferably one that is at least a 128-bit encryption system.
For more information on this or other healthcare related matters, contact Ted Barron or a member of the Healthcare Practice team. is available to assist with all matters related to healthcare.