Question: If our general surgery practice uses unencrypted email to send a report with a patient’s protected health information (PHI) to another physician’s office, is that a reportable breach?
Codify Subscriber
Answer: Unfortunately, there’s no clear-cut decisive answer to this, says Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems LLC in Charlotte, VT. “I see plenty of reports of breaches that are taking place that involve this kind of communication.”
Many lawyers will say that the proper way to interpret a situation where you’ve sent an unencrypted email containing PHI is as a breach, Sheldon-Dean notes. And beyond the unencrypted email itself, you need to understand that these messages may wind up on email servers and can remain there for quite some time after you send or read the messages.
Bottom line: “In that case, the information winds up being maintained and isn’t necessarily being secured,” Sheldon-Dean warns. “So you want to avoid … using those kinds of services as much as possible unless you use a secure version. Otherwise, you’re leaving yourself open to a violation.”