Question: A provider in our practice informed us that they have been sending patient records to their personal email to review at home. Does this constitute an unauthorized disclosure of electronic protected health information (ePHI), and does it pose a security risk? Florida Subscriber Answer: Yes, the provider’s actions can constitute an unauthorized disclosure of ePHI and pose a security risk. Unauthorized disclosure of health data can be just as dangerous to a patient’s privacy as a ransomware attack. While the latter garners more attention from health IT pundits, the media, and the feds, unauthorized access or disclosure of ePHI is just as serious. Some unauthorized disclosure incidents may be malicious in their intent, but most incidents, such as the one you’re describing, are due to negligence or improper cybersecurity education. People in the system, such as doctors and other clinicians, may just want to access the patient’s information and medical record to deliver treatment but are violating disclosure rules. When patients arrive at your practice, you’re committed to protecting their ePHI. Once the patients’ records leave your practice’s network, there’s no way to ensure that protection and that could cause major headaches if the provider’s personal device or accounts become targets of cybercriminals Keep in mind: Email is not a secure method of transmitting PHI. Unless the email is encrypted end to end, the PHI is at risk while it is being sent from the office to the physician’s home, even if their home network has all security safeguards in place. PHI cannot leave the practice’s secure network via unsecured email because it leaves the PHI open to theft. Instead, safeguard it by using encrypted email. By educating your employees on the safe handling of ePHI and proper cyber hygiene techniques, your practice can help prevent incidents of unauthorized disclosure.