When President Clinton signed into law the Health Insurance Portability and Accountability Act (HIPAA) in August of 1996, there was little enforcement value. That early version included little more than 330 words about patient privacy. It would take another seven years before HIPAA could be expanded and given enforcement mechanisms.
Since 2003 there have been 40,847 complaints investigated by the Office of Civil Rights. Of those, about two thirds, 28,279 cases were resolved with some form of action. While most of the successful investigations involved some form of hacking, many involved inappropriate email use.
In one recent example, the University of Alabama at Birmingham (UBA) was attacked by hackers wanting to divert employee payroll. No money was stolen. However, experts identified that some employee email accounts had patient medical records inside their emails while investigating the cyberattack. Although 19,557 patient records were compromised, investigators found no evidence that the records were stolen.
Cases like this bring to the forefront the importance of email compliance. With thousands of healthcare providers still grappling with the shift to electronic records, many are either careless or don’t know any better. Fortunately, optical character recognition (OCR) and data loss prevention (DLP) have emerged as two modern technologies that protect healthcare organizations from inadvertent slips in email compliance.
Email Compliance Defined
When a healthcare organization uses electronic patient health information (ePHI), it must conform to a specific regulatory framework. In the healthcare industry, that framework comes in part from HIPAA and a patient’s right to privacy. Email compliance, however, goes beyond that. In some cases, emails have a retention schedule, meaning, after a given period, they must be destroyed or archived. For the sake of e-discovery, the healthcare organization must keep the emails safe, more often than not, through encryption.
Effective healthcare organization email compliance has threat targets and three records management targets:
- Email communication must be encrypted
- The healthcare organization needs a way to monitor and/or control email content
- Data inside emails must be protected from cyberattacks
- Archived emails must be stored in an unalterable state
- Email retention schedules should be followed
- Email chain of custody must be protected
By utilizing both OCR and DLP technologies, healthcare organizations have effective tools that virtually eliminates slips in email compliance.
Optical Character Recognition
Today’s healthcare organizations rely heavily on image files, most notably, PDFs. Employing an email management system with OCR lets the system identify sensitive data inside the image. The system will then manage the data according to the regulatory framework. Today’s OCR capabilities are so sophisticated they can peer through the many layers of documents that went into producing a final PDF image. For example, a ZIP file that was shared within an email. Inside that ZIP file is a Word document with an inserted Excel spreadsheet that was scanned to PDF. Given digital collaboration, this type of file is common in today’s electronic environment.
On some OCR platforms, the software utilizes artificial intelligence (AI) and machine learning. In this way, the platform can correct mistakes in things like medical codes. Further, physicians often handwrite notes and prescription orders. An AI-enhanced OCR platform could intelligently link correct medicine and dosage about a specific patient, all while protecting patient privacy with actions such as blackouts when a specific note needs to be HIPAA email compliant.
Data Loss Prevention
Healthcare organizations typically utilize administrative processes that protect both patient and organization privacy. For example, creating and enforcing an email policy for internal employee use. However, employees do sometimes cut corners, like sending ePHI to their email account using their smartphones. Earlier this year, Renew Wellness reported a breach that occurred because of two stolen business cell phones. These cell phones had sensitive data about patients, including diagnoses for billing purposes and Social Security numbers.
DLP works with administrative processes by creating rules that look for specific instances of data. For instance, in the above example, DLP could have been used to look for Social Security numbers. The emails would then be quarantined awaiting further action. The number of rules created inside the email management system is limitless and can be applied to any non-HIPAA threat.
In all likelihood, the number of HIPAA complaints should go down as healthcare organizations enact business processes that protect them from the federal government’s remediation. In many cases, this included fines. Healthcare organizations must be vigilant and seek technological protections. The future use of new technologies will involve machine learning and AI-based processes. Using OCR and DLP, in conjunction with an email management system, will go a long way in preventing slips in email compliance.
UAB Medicine Phishing Attack Impacts 19,000 Patients. HIPAAJournal, October 7, 2019. https://www.hipaajournal.com/uab-medicine-phishing-attack-impacts-19000-patients/
 Privacy Event at Renew Wellness, PLLC. January 23, 2020. http://renewwellnessofgf.com/possible-privacy-breach-2020