Percent dropping, but e-mails still show PHI content

Health Management Technology, Dec, 2004

Two percent of the e-mail messages sent by employees in payer and provider organizations contain protected health information (PHI), as defined by the Health Insurance Portability and Accountability Act (HIPAA), according to a new analysis conducted for HMT by Zix Corp. A provider of e-mail assessment and security software, the Dallas-based company analyzed 5 million e-mail messages sent and received by 50 healthcare organizations from April to October this year. The analysis found that the volume of e-mails containing PHI ranged from less than 1 percent for some payers and providers to as high as 9 percent for other entities.

Though the number may seem alarming, especially considering HIPAA requirements to create "reasonable safeguards" against the release of PHI, the statistic actually represents an improvement according to Eddy Smith, Zix Corp.'s senior research engineer. E-mails containing PHI have dropped from an average of more than 4 percent just a year or two ago, he said.

Smith attributes the 50 percent drop to two factors: 1) HIPAA training has made healthcare workers more keenly aware of the issue and willing to control what and how they send some information, and 2) Improved filtering has narrowed in on those e-mails containing sensitive material. One challenge that some technology vendors have met, Smith indicated, has been to create a filter that effectively automates the analysis of free, open text and distinguishes and identifies suspect content, though he says vendors vary in their proprietary routes to this end.

The data reported in November was based on the use of a proprietary software program, Zix Auditor, to capture and scan inbound and outbound e-mail traffic for a period of 3 days to 7 days from 50 of Zix Corp.'s healthcare customers, which total about 300. Smith points out that many of the organizations used in the analysis are evaluating technology that may help manage their e-mail. E-mail audits or assessments are available as a one-time analysis, or as part of an ongoing secure messaging product system.

Smith also points out that the 2 percent of PHI-containing e-mails do not necessarily constitute HIPAA violations, since most are transmissions between authorized business partners. However, most are plain text e-mails going out over unsecured paths, so these transmissions are at risk.

HIPAA leaves it up to each organization to determine whether the risk is acceptable or not, and to arrive at an appropriate balance between risk and remediation cost. HIPAA rules also require each covered entity to know how and where PHI moves through their organization, and when it is being exchanged with outside organizations. Thus, even one-time or periodic e-mail audits may provide the necessary documentation to comply with HIPAA rules.

"The CEO, the HIPAA security officer and the IT team all have different perspectives about the risk and whether a technology solution to lower the risk is warranted." When HCOs explore e-mail security solutions, the options range from monitoring and identifying the level of PHI being transmitted to encryption of some or all of an organization's e-mail traffic. Smith indicated a popular solution at organizations with high-volume of transmissions, is to set up a content scanner, which first scans e-mails to determine if any PHI or other prescribed content is included, then automatically encrypts any messages containing it, rather than encrypting 100 percent of the e-mail traffic volume. For more information, including dates on Webinars about email security, visit www.zixcorp.com.