If you work in the health industry, then making sure your business is HIPAA complaint is at the top of your priority list. A simple mistake like mistyping an email address can breach electronic Protected Health Information (ePHI), with devastating consequences. Something as simple as a typo can ignite an investigation, potentially leading to expensive fines, complex remediation requirements and increased future regulatory scrutiny.
If your system is breached, you can’t just sweep it under the rug. The HIPAA breach notification rule ensures that any business that fails to report a breach will be swiftly punished. That means that not only are you responsible for locking down your system, but also for accurately reporting when something does go wrong.
Knowing what can trigger a breach — and also what qualifies as a breach — can be the difference between a massive fine and a noteworthy but otherwise unspectacular incident.
Get a copy of our free guide: HIPAA Compliance in the Cloud to learn how HIPAA requirements affect email and file sharing and receive a practical checklist for determining your encryption requirements.
Under the HIPAA Breach Notification Rule, any potential exposure counts as a breach. Any time there’s a significant risk that PHI was used or revealed in a way not allowed by HIPAA, it’s considered a breach. For example, if you lost a flash drive with unencrypted ePHI on it, it would count as a breach even if you didn’t know whether anyone picked it up or used it.
However, if you can prove there’s a low risk of actual exposure, you’re exempted from breach notification. To do this calculation, you need to consider:
1. What information was exposed and whether it can identify the patient;
2. Who received (or may have received) the information;
3. Whether they actually acquired and viewed the PHI; and finally,
4. How the risk has been mitigated.
No matter what your answers are for one and two, if you can show no unauthorized party actually acquired the PHI, you’re exempt from HIPAA Breach Notification.
Virtru Pro with read receipt can prevent a HIPAA breach notification from being triggered. Virtru Pro allows users to rescind emails. If you inadvertently send ePHI to the wrong address or accidentally forward sensitive information, clicking the red hand icon will prevent the recipient from reading the email (or from reading it in the future, if they’ve already read it).
Doing this quickly can minimize the risk of a breach, but the feature by itself doesn’t exempt you from the HIPAA breach notification rule for one reason:
The reader could have accessed the email before you rescinded it. That’s where Virtru read receipts come in.
A read receipt tells you whether your email has been read. When you click the message in your sent mail folder, you’ll either see an envelope by each recipient’s name; if it’s an unopened, grey envelope, the recipient hasn’t read it. Virtru requires the recipient to access Virtru’s secure server to decipher the encrypted message, which triggers the receipt of the email having been accessed. If you see a grey envelope (indicating the email has not be accessed) and revoke the message, HIPAA breach notification is no longer something you have to worry about (at least for this incident).
If there are multiple breaches (e.g. if ePHI was sent to many unauthorized email addresses) you can limit exposure and identify exactly what info has been improperly disclosed, and to which parties. This reduces the extent of the breach, which can lead to lower penalties and simplify breach mitigation.
Virtru HIPAA compliant email protects you from threats and mistakes. Virtru Pro secures messages with a single click, using military grade, client-side encryption. You can communicate with patients, other providers and business associates without the inconvenience and complexity of a healthcare portal.
Virtru Pro email encryption gives you more control over your messages, reducing HIPAA compliance risks. You can set time limits on sensitive communications, decrease exposure by disabling forwarding and most importantly, avert HIPAA breach notification with message revocation and read receipt.