Question: A provider in our practice informed us that they have been sending patient records to their personal email to review at home. Does this constitute an unauthorized disclosure of protected health information (PHI), and does it pose a security risk? West Virginia Subscriber Answer: Yes, your provider’s actions can constitute an unauthorized disclosure of PHI and pose a security risk. Unauthorized disclosure of health information can be just as dangerous to a patient’s PHI as ransomware. While the latter garners more attention from healthcare IT officials, the media, and the government, unauthorized health information access or disclosure is just as serious. Some unauthorized disclosure incidents may be malicious in their intent, but most incidents, such as the one you’re describing, are due to negligence or improper cybersecurity education. People in the system, such as doctors and clinicians, may just want to access the patient’s information and medical record to deliver treatment but are violating disclosure rules. When patients arrive at your practice, you’re committed to protecting their PHI. Once the patients’ records leave your practice’s network, there’s no way to ensure that protection and that could cause major headaches if the provider’s personal device or accounts become targets of cybercriminals. By educating your employees on the safe handling of PHI and proper cyber hygiene techniques, your practice or facility can help prevent incidents of unauthorized disclosure.