Home Health & Hospice Week

HIPAA:

Beware Risks Of Using Private Email Accounts

Does a staffer sending herself patient info to a Gmail account equal a HIPAA breach?

It’s a common scenario: Providers have a secure system for encrypting all outgoing emails from their internal email systems, but managers, clinicians or other staffers are sending protected health information from the internal email to their home email on Gmail, Hotmail, etc. Does that put you at risk?

Yes, this is definitely a risky behavior, says Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems in Charlotte, Vt. “What happens is those messages wind up on the Hotmail or Gmail servers and can wind up being preserved and not really very well protected,” he says.

Pitfall: And depending on exactly how you’re using Hotmail or Gmail, these email providers may even have as part of their terms of service a stipulation that they have a right to look at whatever information passes through your account, Sheldon-Dean warns. You must try to get the employees to not use their own personal email accounts, because those email services are not secure.

What’s more: Some organizations even report usage of personal unencrypted email accounts as an official breach, Sheldon-Dean adds. “It’s up to your attorneys to decide whether that’s something you need to report as a breach or not — just the fact that [the staffers] have been using those email accounts.” If you are in this scenario, “you’re certainly in a dangerous situation right now, and you need to consider it very carefully,” he advises. 

Other Articles in this issue of

Home Health & Hospice Week

View All