HIPAA Lawsuit – PHI by Un-encrypted Email

In kind of ironic timing, the news was recently reported of a patient talking to lawyers about a possible lawsuit against a doctor who sent her protected health information (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you should go read through the comments, they’re very interesting).

One interesting part of the above news story is that it didn’t even include the most common personal information used for identity theft. Certainly a person’s name and medical information should be kept private as well and could have consequences related to its release on the internet. However, it definitely doesn’t bring out the privacy critics like a breach of financial related info would bring.

While I personally hate lawsuits, a part of me kind of hopes that this or some other lawsuit happens related to email and PHI. Not because I like lawsuits or I want someone to be held responsible. Mostly because we could use some legal precedent to better enable those who want to use technology like email. Until the precedence is set (or a more specific law), I think that many people are just too afraid to use email for any sort of health care related communication.

In the comments I mentioned above, someone even commented about them wanting a doctor who would let them waive their right to privacy in the name of convenience. Basically, they would rather use email to communicate even PHI at the risk of someone seeing their health information so that they can use communication tools like email in their healthcare. I bet there are a lot more people who would opt in for this also. The problem is that the law is such that I don’t know many doctors who are willing to take the risk even if the patient gives them permission.

The best alternative right now is the patient portal where a patient receives an email saying something has been added or updated on the portal and invites them to login to the private secured portal to see the PHI or other health information. Not perfect and not that broadly adopted.

Lots of other issues related to email with doctors, but at least resolving the privacy and security ones would allow us to focus on those other issues.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • OK, this doc emailed this patient stuff home so he could do some research on his processes? LOL. Dude, put it on a thumb drive, then put that in your pocket or briefcase.

    I always assume that my unencrypted emails are the equivalent of post cards. Maybe that’s an excessively cautious view, but, still…

  • That’s why they call many of them frivolous lawsuits. You can file a lawsuit for a lot of things. Not that they’ll actually succeed, but that doesn’t keep them from trying.

    I think the word they use is damages. I’m not sure how she plans to show damages. Maybe that’s why she’s just consulting the lawyer and not actually announcing the lawsuit…yet?

  • HIPAA 11716) “INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.–The term ‘individually identifiable health information’ means any information, including demographic information collected from an individual, that–

    “(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

    “(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–

    “(i) identifies the individual; or

    “(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

    SEC. 1177. (a) OFFENSE.–A person who knowingly and in violation of this part–

    “(1) uses or causes to be used a unique health identifier;

    “(2) obtains individually identifiable health information relating to an individual; or

    “(3) discloses individually identifiable health information to another person,

    shall be punished as provided in subsection (b).

    “(b) PENALTIES.–A person described in subsection (a) shall–

    “(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

    “(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

    “(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.”

    Doesn’t say anything about poor outcomes, liability simply hinges on breach of confidentiality. The only question here, then, is whether an unecrypted sent email containing an organization’s “Patient Number” constitutes a breach.

  • “Microsoft’s HealthVault gets encrypted e-mailing” by Josh Lowensohn was posted on cnet today.

    “Microsoft is trying to tighten up security on medical information that is sent by e-mail, while at the same time making it easier to share.

    At a U.S. Department of Heath and Human Services event earlier today in Washington, D.C., the company unveiled an updated version of its HealthVault medical records system that can send encrypted copies of a patient’s medical records via e-mail….”

    It looks like the HIT industry has finally done something right by developing inexpensive and efficient solutions to successfully reduce most of the danger of emailing patients their medical information. That is a huge under-rated step to winning over consumers to the idea of interoperable eHRs and the seemingly magic cures from Evidence Based Medicine discoveries. If the healthcare industry can combine HIPAA-friendly emailing with recent advancements in the science of data-masking, it’s my opinion that the subsequent advances in healthcare through safe data-mining of millions of records will lead to miracles some of us have been dreaming about for decades. Suddenly, true advancement in healthcare becomes not that far out of reach.

    This would be a terrible time to blow consumers’ confidence in security just to rush careless ideas to a trusting and naïve market for quick profits. If we allow greedy stakeholders to screw this up using our grandchildren’s ARRA money, at least a few generations will be worse off than if we never bothered changing from paper records – the gold standard of patient privacy and historically adequate, but far from spectacular.

    Now then, if all HIPAA-covered entities will do their part and encrypt patients’ PHI at rest, or perhaps give up the maintenance and liability of patients’ records to encrypted cloud computing, the huge security obstacle to interoperable patient records will be all but eliminated… at least until the first breach of millions of encrypted but unreported PHI is belatedly discovered by a rash of identity thefts.

    If we blow it, you and I won’t live long enough to regain the trust of most Americans, regardless of the potential good that can come from transparency in medicine.

    D. Kellus Pruitt

  • Interesting development. I’ll be excited to see how this develops over time and how HealthVault has implemented this secure email.

    No doubt that being able to email your doctor your PHR information would be great. It doesn’t reach the full vision of interoperability, but it’s a start.

  • question, can your employer call several times to your doctor and harass them for your information and get the doctors to tell all? i know that your employer is to call the insurance angency for the status on an employee. its not their job to call the doctors office and harass them. What can i do and isnt that a violation of hipaa law as well by the employer?

  • also, after my employer got the information at 10 am from the doctors office, they came to my home and harassed me in front of my children, knowingly they knew what the doctor has told them? what am i to do?

  • Anthony,
    I should first offer the disclaimer that I’m not a lawyer. With that said, I don’t believe that your employer calling several times to your doctor is a violation of HIPAA on their part. Now, your doctor providing any information to your employer without consent could be a violation of HIPAA. Unless of course your employer called under some sort of false pretense or something.

    The other “harassment” type items aren’t a violation of HIPAA either from what I can tell, but it seems like they could be a violation of some other harassment or related law.

    So, I’d say that HIPAA is unlikely to provide you any protection in this case unless you wanted to go after the doctor that from the sounds of it gave your protected health information to your employer. Otherwise, you should consult an attorney about the other possible laws that were broken.

  • I recently found another patients records in the middle of my Psychiatric/Chemical Dependency RecoIrd. This hospital is mad at my doctor for giving me my medical records. Apparently they are more careful when they send records to patients. I notified the hospital immediately of their error and sealed the other persons records in an envelop without reading beyond the point I realized that it was not me. I also have them on an ADA violation which of course they want to settle, but I refuse to sign a confidentiality agreement when my confidentiality means so little to them. Sometimes it is just the principle of the thing.

Click here to post a comment