5

I am the Compliance Officer for a laboratory. Is it permissible to send an unencrypted email with a patient accession number? It does not include patient name, DOB, SS# or address. It is just an associated, unique number related to a test.

Kristin
  • 51
  • 1
  • 2

3 Answers3

5

In my interpretation of HIPAA/HITECH, NO, it should be encrypted.

From everything that I've read on this over the years the broadest translation of EPHI is ANY information that COULD be used to IDENTIFY a patient.(This would include any account or test numbers) The debate would be "entities that need access to" or "provide access to" however if ruled as negligent in court, it's not an excuse and since you have the title of compliance officer I would require encryption (atleast in writing). If you don't have the ability to approve spending on say encrypted email then provide who does have the authority with Section 164.312(e)(2)(ii) of HIPAA and BCC your external email address to cover yourself that the company is going rogue and not yourself. I always say unencrypted email is like writing information on a piece of paper and putting it on "Joe's" car under the windshield wiper. Enen though it's addressed to "Joe" anyone who is walking by with "curiousity" could read that paper on the windshield of Joe's car and he might never know. If that data is valuable in ANY way, people will try to "acquire it".

Here's a quote from wikipedia's site: PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[13] This is interpreted rather broadly and includes any part of an individual's medical record or payment history.

taken from: http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

Unfortunately an ex-employee could social engineer with that information, additional information such as a SS#.

Depending on how much data is sent and how often it will be sent you may want to consider building a SFTP server (usually favored over FTPS by most Hospitals I.T. departments)

Personally I've done this for two of the largest hospitals in my state and that's how they send reports and patient data. I used a turnkey linux distro here: http://www.turnkeylinux.org/fileserver

It's FREE and very easy to setup and will cover the issue of using encryption while the data's "in motion" Also be sure to make a unique login for EACH entity that will connect since all login attempts are logged and be sure to use a long random password and only give that info over the phone or fax since your email does not sound like it's being encrypted.

A word of experience on email encryption, stay away from Trend Micro, it's too difficult for computarded users to count on their fingers and toes the numerical placeholders of their passwords.

ex. password: doggypuppy123 enter characters 1, 2, 7, and 9 of your password answer: d o u p

plus they have security questions on top of that as well.

It is horrible, I was stuck with it for a year from the previous admin and now we have something much more computarded user friendly. Let me know if you have any other questions.

If you just want to send the information VIA email and don't have the capability to run a SFTP server thatn you could use http://www.jumbleme.com/ which offers FREE low volume encrypted emails. The onlything in question is when you look at the HIPAA compliant version of the "FREE" service they say that they charge $49.95/yr per user account.

Brad
  • 849
  • 4
  • 7
  • I just looked into jumbleme.com. Is it actually HIPAA compliant? Do you sign a business associate agreement (contract) with them to allow sharing of proprietary data (which arrive at their server unencrypted (transported encrypted via SSL) to encrypt for you? It doesn't appear like this step is done. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html – dr jimbob Mar 29 '12 at 17:39
  • Good point, I forgot about that. I had to sign my life away years ago. Your management should have boiler plates for that and go from there. On the compliance of ANY email provider the only company that I've come across that has a business associate agreement for email encryption is luxsci check out http://luxsci.com/path/hipaa.html otherwise I've had companies argue that they don't need to supply you with such an agreement since they are only "assisting" in you building your own compliance. – Brad Mar 29 '12 at 18:45
  • 1
    I don't buy there argument for not needing an agreement -- you are giving them access to your data; but as I said in my other reply to you comment (to Mark's post) its quite doubtful that this would be prosecuted for violating HIPAA. – dr jimbob Mar 29 '12 at 18:59
  • 1
    All it takes is one person to point their finger to get the ball rolling on an investigation for a HIPAA violation. When I first started with this company they were going through an issue because of a mis-emailed documents from incompetent state employees, even though it was a violation on the states behalf, since the person complaining owned a similar domain. Story learned is better to over protect stuff then to under protect it from a design aspect. – Brad Mar 29 '12 at 23:46
3

I am not a lawyer and this is not legal advice.

I've run into a similar issue and asked the same question on healthcareit (recently moved to security).

As you are probably aware, an accession number is a unique identifier issued by your entity (e.g., your hospital) typically a 6-10 digit number to track a patient order in your information system (e.g., scheduling to providing the service to storing the report/data for the service). When de-identifying data in HIPAA, the guidelines explicitly state 'unique identifying numbers' should be removed, unless an expert has 'determine[d] that the risk is very small that the information could be used, alone or in combination with other reasonably available information ... to identify an individual, and document[ed] the methods and results of the analysis that justif[ies] such determination'.

I would not leave in accession numbers when de-identifying research data as this is a 'unique identifying number'. Let's say I am doing a research study and have been sharing the de-identified MRI data with co-investigators and some 'unique identifying number' was not removed. A co-investigator conceivably could go into the RIS find out what patient that unique identifying number belongs to and then will have the MRI of that patient without any audit trail saying they've downloaded this patient's MRI (there may be a trail saying they've seen their accession number -- but many employees see many accession numbers in the course of routine work). HIPAA does allow you to have a reidentification code in your de-identified data, but it cannot be derived from any existing 'unique identifying numbers' and these re-identification codes must be kept secret.

See page 66 of (section 164.514) https://www.hhs.gov/hipaa/for-professionals/privacy/

Not commenting on the legality of the matter, what you are saying in practice wouldn't violate patient privacy. Telling a doctor that they have an outstanding task (someone needs to read the report on accession number 1234567) doesn't give any private health information to an eavesdropper. The accession number to someone who doesn't have access to your information systems cannot be tied to a patient. Granted it would possibly be a violation of patient privacy to email an accession number + any medical data about the person. E.g., accession # 1234567 has a finding of disease X. Because say audit logs for searches for an accession number on the information system may not be as thoroughly analyzed as someone searching for the reports by patient/accession number. (For medical record numbers (MRN), this argument would not apply; as a MRN has a one-to-one correspondance with a patient. E.g., an eavesdropper may have prior knowledge of a patient to MRN and learn that they came in by observing emails containing their MRN).

However, this does not mean it would not be in violation of the law. I would guess it would be less likely to be prosecuted/convicted, but it probably not be worth the risk. For my system I ended up adding a step; I send an email and then they have to click to my password protected VPN/intranet system to see the accession #s.

jimmont
  • 105
  • 4
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • How would a MRN be any different than any other accession number or unique number regardless of what it is called? If it does not include any health information it doesn't appear to be PHI. If you see and understand otherwise it would be very helpful to know what section or detail to read in the law (and thanks very much) https://www.hhs.gov/hipaa/for-professionals/privacy/index.html – jimmont Jul 10 '17 at 04:38
  • Every patient gets one MRN assigned to them. If for example an abusive ex-spouse/paparazzi learned your MRN in the past and works at an ISP and eavesdrops through email, and learns a plastic surgeon/obstetrician/oncologist saw your MRN -- they've learned stuff about your new medical history -- by merely learning you went to a doctor (just learning the type of doctor you visited leaks health information). That said, learning that accession 1234567 visited a doctor doesn't leak information to anyone who can't get into the medical record (to see that 1234567 is tied to patient X). – dr jimbob Jul 10 '17 at 12:01
  • Again, I'm saying to never disclose MRNs in unencrypted emails on public internet. I'm saying disclosing an accession (that is essentially a sequentially assigned order ID number) without additional health information (like the patient's detailed MRI, or text report, or other detailed health information) is possibly acceptable in not violating a patients privacy, since absent going into the medical records, you have no way of trying an accession back to a person. (And someone who already knows the accession ties to a specific person, already knows they went in for a specific appt). – dr jimbob Jul 10 '17 at 12:06
  • Thanks! Seems we interpret this the same: a MRN or similar unique numbers are private and would be smart to protect but are not PHI unless combined with any other data point (CPT code, image, diagnosis terms in URL, etc). I personally would not want my SSN included in unencrypted emails and expect a certain level of protection, but doing so would not be a HIPAA violation alone as long as it doesn't otherwise disclose any health information (eg from the rest of the log entry). In my case the concern is specific to application logs and their handling for auditing away from the app+health data. – jimmont Jul 10 '17 at 15:46
  • I would add that the HIPAA privacy rule explicitly states that MRNs must be removed when de-identifying data (see 164.514(b)(2)(i)(H) on page 97 of this pdf: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf ). Accession numbers are not mentioned and arguably fall into the exemption category (c), though again I am not a legal expert or full case history on HIPAA. It's still best practice to use secure communication and remove MRNs/accessions when possible within the workflow under the general principle of minimum use of PHI. – dr jimbob Jul 10 '17 at 17:56
  • Yes thanks, my point is that when there is no "health information" the MRN is not PHI because it does not "Relate to the ...physical or mental health or condition...provision of care...or...payment" as defined in section 160.103, page 14 of the pdf. It might separately have privacy concerns. Do you interpret this section differently? Also separately not treating this as PHI when and where PHI might leak in (like in application logs) seems to be a risk worth addressing. – jimmont Jul 11 '17 at 19:58
  • An MRN is considered identifying information under HIPAA. I would treat it with the same safeguards I would treat a patient's name. Yes, someone's name in an email disconnected from any medical context would not be PHI. But when it's the name of a patient in the context of a visit with a healthcare provider it is PHI (even if no other health information is in the email other than the implication they recently saw a doctor at the practice). See for example: http://www.hcpro.com/HIM-301269-865/HIPAA-QA-Youve-got-questions-Weve-got-answers.html – dr jimbob Jul 12 '17 at 15:52
1

According to the website below this is not considered part of your private information and as such it would be acceptable to send in an unencrypted email. HIPAA compliance applies specifically to personal information which this does not fall under.

http://web.mit.edu/committees/couhes/hipaa.shtml

Mark S.
  • 670
  • 4
  • 10
  • Unfortunately lawyers who don't understand technology like an engineer would and they write the laws for HIPAA and HITECH. Since the law is open to interpretation and how much a judge and jury are able to comprehend you would be best off with the strictest interpretation of the legal documentation. – Brad Mar 29 '12 at 18:13
  • 1
    @Brad - I agree its the lawyers writing the laws and its safest to assume strictest compliance. However, its unlikely you would be prosecuted/convicted for designing a system that gave Accession #s alone in emails--more likely someone would tell you to redesign it. There is ambiguity and a reasonble prosecutor wouldn't try you and you could build a solid defense. HIPAA convictions are [rare](http://www.privacyguidance.com/files/HIPAAfelonyconvictionsandupcomingtrends-Herold_February_2009.pdf) and usually involve either egregious violations (e.g., identity theft, selling celebrity records). – dr jimbob Mar 29 '12 at 18:56
  • All coins have 2 sides to them, here's' the other side that I see. From my understanding one must provide documented reasonable efforts to secure a system. This creates plausable deniability which would assist if a lawsuit were to be filed. If you just document the laws, your interpretation, and what you put in place for compliance sake then you should be fine. Just be sure to document everything and keep backups for yourself. – Brad Apr 02 '12 at 17:07