In the very regulated and litigious world in which we live, sending, receiving or managing sensitive documents and data through email or services that use email can be plain negligent. Unfortunately, many healthcare businesses are transporting Protected health data (Phi) and collective security details by email or services that use email every day because they misunderstand or dismiss the risks. This description seeks to state the issues and elucidate the key points that are often misunderstood.
Email risk
Although email is used every day by almost every organization, it is inherently insecure and the risks of using this type of data transmission for Phi are not fully appreciated.
Phi Phi
When a enterprise or club uses an internet fax service that utilizes fax-to-email or email-to-fax to transport the document, that email article gets read and stored many times en route by Isps, servers, firewalls, virus checkers and, maybe more worryingly, unscrupulous 'bots' that harvest email data. Additionally, It staff members may be able to access these emails, maybe using traffic monitors or packet sniffers (that look for particular article or key words), at any of the points at which an email might be stored or through which it transits.
It is not just the email article that is at risk either: typically 30% of emails contain attachments which are also at risk at each and every stage above. Some fax-to-email providers claim to use protocols that 'encrypt' the attachment but in truth all this does is put a 'wrapper' colse to that document which if decrypted means the unauthorized party has the whole document intact.
However, most fax-to-email providers use unencrypted emails which can be absolutely intercepted by unauthorized parties, sometimes with malicious intent. The consequences are serious and can supervene in indispensable fines, loss of customers and, possibly, enterprise failure.
Penalties
The current penalties for Hipaa (Health assurance Portability and responsibility Act) violations are ,000 to .5million, depending on the scale and nature of the violation. Furthermore, an personel who knowingly discloses individually identifiable health data may face a criminal penalty of ,000 and a one-year imprisonment. Many providers do believe they comply with the newest Hipaa encryption regulations but in reality they may only be 'compliant' in a very limited set of circumstances, which need high levels of It support.
A added point to note on the regulations above, is that if an unencrypted email that contains Phi is sent across the internet, a violation of Hipaa may have occurred even if the email was not intercepted. The fact that it was ready for reveal by an Isp or a third party is enough to expose penalties under Hipaa.
In addition, fax-to-email systems make it difficult, it not impossible, to track missing faxes. Often there is no genuine audit trail at all and there are major limitations in tracking document delivery.
Organizations that wish to successfully compete in the healthcare sector must deploy acceptable technologies to protect documents and data, at rest and during transmission. Failure to do so not only risks day-to-day patient confidentiality but can also jeopardize an club itself through potential fine, discount in customer belief and loss of business. However,it is potential to put a amount of physical, organizational and technical measures in place to protect Phi and ensure Hipaa compliance.
Healthcare Providers Using Fax-To-Email to Send Phi Are 'Negligent'
ไม่มีความคิดเห็น:
แสดงความคิดเห็น