Question: If we use unencrypted email to send a message with a patient’s protected health information (PHI) to another doctor’s office, is that a reportable breach?
Answer: Unfortunately, there’s no clear-cut decisive answer to this, says Jim Sheldon-Dean, founder and director of compliance for Lewis Creek Systems LLC in Charlotte, VT. “I see plenty of reports of breaches that are taking place that involve this kind of communication.”
Many lawyers will say that the proper way to interpret a situation where you’ve sent an unencrypted email containing PHI is as a breach, Sheldon-Dean notes. And beyond the unencrypted email itself, you need to understand that these messages wind up on email servers and can remain there for quite some time after you send or read the messages.
Bottom line: “In that case, the information winds up being maintained and isn’t necessarily being secured,” Sheldon-Dean warns. “So you want to avoid … using those kinds of services as much as possible unless you use a secure version. Otherwise, you’re leaving yourself open to a violation.”