Sending Protected Health Information (PHI) via Email? You May be Breaking the Law.

By Robert McDermott, CEO, President; iMedicor

Electronic messaging (i.e. E-mail) is quickly becoming the standard for transmitting electronic patient health information (EPHI). But whether they realize it or not, dentists are breaking the law when they transmit patient records and x-rays through their personal email (i.e. Yahoo, Gmail, AOL).
With the advent of electronic health records, transmission of EPHI (specifically protecting it from internal and external risks) has never been a bigger issue in the dental community.

What are the Penalties?

The federal government is increasingly tightening its enforcement of Health Information Portability and Accountability Act (HIPAA)

[1] laws. And the penalties for violations are staggering—one incident could put a practice out of business.
They range from $50,000 per page to a maximum of $1,500,000 per patient.

A HIPAA Privacy Rule[2] infraction can also be considered a criminal act, and lead to prosecution by the Department of Justice, and jail time ranging from 1-10 years in addition to the large monetary fines.

Is Compliance Really Being Enforced?

HIPAA grew teeth in July 2009, when the authority to administer and enforce the HIPAA Security Rule[3] was transferred to the Office for Civil Rights (OCR). Since then, OCR investigated more than 98,279 HIPAA complaints in which private practices were listed as the number one covered entity[4] required to take corrective action.

Also in 2009, State Attorneys General were granted the authority to bring civil actions (for HIPAA violations) on behalf of state residents through Health Information Technology for Clinical and Economic Health Act (HITECH).

Then in January 2013, the Omnibus Rule pushed HIPAA toward much greater enforcement. The Omnibus Final Rule reaffirmed HIPAA privacy and security requirements. That year, the number of HIPAA-violation complaints received by Department of Health and Human Services spiraled upward. And according to analysis by consulting company TrueVault, complaints are on a similar trajectory in 2014.

My Email Is “Secure.” Do I Need to Worry?

A common misconception with regard to email messaging systems is that “secure” equals HIPAA-compliant. This isn’t the case. Secure simply means encrypted. Although a step in the right direction, most “secure” messaging systems fall short of compliance standards. The bottom line is: unless a practice is using an email system that’s HIPAA-compliant, its providers are at risk of incurring violations and receiving penalties, fines and/or jail time.

What to Look For When Selecting a Messaging System

Several standards must be met for an electronic messaging system to be HIPAA-compliant. When selecting a messaging system, make sure it implements the following technical safeguards.

Access Controls to restrict access to those persons or software programs that have been granted access rights. Specifications follow:

  • Unique user identification (required)
  • Emergency access procedure (required)
  • Automatic logoff (after a set period of non-use)
  • Encryption and decryption

Audit Controls to record and examine activity in information systems dealing with EPHI. They’re especially useful when determining if there’s been a security violation.

Integrity to protect EPHI from improper alteration or destruction.

Transmission Security to protect against unauthorized access to EPHI during transmission. Specifications follow:

  • Integrity controls
  • Encryption

Another feature to look for when selecting an email messaging system is inclusion of the Direct data-exchange protocol. Direct allows you to send HIPAA-compliant, encrypted email to people outside your network via the internet. It uses a 2-step verification system, checking for two unique identifiers such as a social security number and ADA number.

Direct protocol gives a sender confidence that an email recipient truly is the intended recipient. (If you receive an email from someone@direct.com, you can be confident the email is coming from who you think it’s coming from—not an imposter.)


[1] Health Information Portability and Accountability Act (HIPAA) passed into law in 1996. The federal law’s purpose is to protect individuals’ identifiable health information, called protected health information (PHI), which is held by most health care providers.

[2] The HIPAA Privacy Rule is a law that gives patients rights over their health information, and sets rules and limits on who can look at and receive it. It applies to all forms of individuals’ protected health information—electronic, written, or oral.

[3] The HIPAA Security Rule requires security for health information in electronic form. All covered entities must implement technical safeguards and comply with the applicable standards, implementation specifications and requirements of the Security Rule with respect to EPHI.

[4] Covered entities are defined as: health care providers that transmit any health information electronically in connection with certain transactions; health plans, and health care clearinghouses.


iMedicor’s iCoreExchange, a HIPAA-compliant, secure messaging hub, is endorsed by TDA Perks Program. Through Perks, TDA members receive a 35% discount on subscriptions.

2016-10-28T14:08:58+00:00 November 1, 2014|Categories: Compliance|Tags: |