Are You Using Your Personal Email to Send Patient Records? You’re Breaking the Law

Krysia GabenskiFeatured News

By Robert McDermott
From the Fall 2015 Journal of the Colorado Dental Association

Electronic messaging is quickly becoming the standard for transmitting electronic patient health information (EPHI). But in a digital era when technology is ever-evolving, are you and your staff doing everything you can to legally comply with Health Information Portability and Accounting Act (HIPAA) laws? If you’re not, you’re jeopardizing not only your patients’ privacy but also your practice and your license.

How Steep Are the Penalties?
With the advent of electronic health records, protecting EPHI from internal and external risks has never been a bigger issue in the dental community. The federal government is increasingly tightening its enforcement of HIPAA laws. Not complying with these laws means your patients’ EPHI could end up in the wrong hands. The penalties for such violations are staggering — one incident could put a practice out of business. Violations carry monetary fines ranging from up to $50,000 per page to a maximum of $1.5 million per patient. HIPAA Privacy Rule infractions can be considered criminal acts and can lead to prosecution by the Department of Justice and jail time ranging from one to 10 years.

Is Compliance Really Being Enforced?
HIPAA laws are being enforced now more than ever, and private practices, including dental practices, are at the top of the list for those at risk of violations. Since July 2009, when the authority to administer and enforce the HIPAA Security Rule was transferred to the Office for Civil Rights (OCR), the OCR has investigated more than 98,279 HIPAA complaints in which private practices were listed as the number one covered entity required to take corrective action. Also in 2009, state attorneys general were granted the authority to bring civil actions (for HIPAA violations) on behalf of state residents through Health Information Technology for Clinical and Economic Health Act (HITECH). In January 2013, the Omnibus Rule, a final rule that implements a number of provisions of HITECH, pushed HIPAA toward much greater enforcement by reaffirming HIPAA privacy and security requirements. That year, the number of HIPAA-violation complaints received by Department of Health and Human Services spiraled upward.

What to Look for in a Compliant Messaging System
Whether dentists realize it or not, they and their staff members are breaking the law when they transmit patient records, x-rays and other EPHI through personal email accounts like Outlook 365, Yahoo Mail and Gmail. Though these accounts may claim to be secure, they lack key features that are necessary to make them HIPAA-compliant. To be HIPAA-compliant, email messaging systems must have these five specific requirements.

1.    Access Controls: A covered entity is required to implement technical policies and procedures that limits access to systems containing protected health information only to personnel with sufficient access rights (164.312 (a)), including having:
a.    A unique user identification
b.    An emergency access procedure
c.    An automatic logoff process
d.    An encryption and decryption process
2.    Audit Controls: A covered entity is required to implement software that records and examines activity in systems that contain or use protected health information (164.312(b)).
3.    Integrity: A covered entity is required to develop and implement policies and procedures to protect protected health information from altercation or destruction (164.312(c)). This includes having a method to authenticate protected health information.
4.    Person or Entity Authentication:  A covered entity has to implement procedures to verify a person or entity accessing protected health information is the one to whom the protected health information belongs (164.32(d)).
5.    Transmission Security: A covered entity is required to implement technical measures to guard against unauthorized access to protected health information that is transmitted over an electronic communication network (164.312(e)). This includes integrity controls and encryption.

Email messaging systems also should include the “DIRECT” data-exchange protocol. DIRECT allows you to send HIPAA-compliant, encrypted emails to patients, doctors and others outside your network via the Internet. It uses a two-step verification system, checking for two unique identifiers such as a Social Security number and American Dental Association number. DIRECT protocol means an email recipient truly is the intended recipient.

Unless a practice is using a HIPAA-compliant messaging system, its providers are risking incurring violations and receiving penalties, fines or jail time. Make sure you and your staff are protecting your patients. Their privacy and your practice’s future depend on it.

Robert McDermott is the CEO and president of iMedicor. iMedicor’s iCoreExchange is a HIPAA-compliant secure messaging hub, and is endorsed by the CDA. CDA members receive a 35% discount on services to protect their practices. For more information, please visit or call iMedicor at 800-624-0237.

CDA Protecting You!
You may not realize it, but the Colorado Dental Association also has a need to send secure email.  Whether it’s financial reports, patient records for peer review or insurance claims, the CDA must meet industry standards to protect sensitive information.  iMedicor’s iCore Exchange provides us with the same HIPAA level security required for your office.  Learn more about this CDA Endorsed Program and what HIPAA laws require before you send that next email with patient information.