Common HIPAA Violation Email Examples

Common HIPAA violation email examples include sending emails containing PHI to unauthorized individuals, neglecting to use the BCC function when sending a bulk email, and failing to train members of the workforce on email security. It is also a HIPAA violation not to enter into a Business Associate Agreement with a third party email service provider.

One of the best sources to find examples of common HIPAA email violations is HHS’ Breach Report. The Archive section of the Breach Report contains details of more than five thousand data breaches notified to HHS’ Office for Civil Rights since 2009. By downloading the Archive and using the search function, it is possible to identify common HIPAA violation email examples.

Data Breaches vs HIPAA Violations

When using this method to identify common HIPAA violation email examples, it is important to be aware of the difference between a data breach and a HIPAA violation. Data breaches occur when there has been – or it is believed there may have been – an impermissible use or disclosure of PHI. HIPAA violations are the failure to comply with any standards of the HIPAA Administrative Simplification Regulations regardless of whether the violation results in a breach or not.

The reason this is important is because some breaches are notified to HHS’ Office for Civil Rights out of “an abundance of caution”. This happens when a security incident has occurred and a risk analysis cannot rule out the possibility that PHI may have been impermissibly disclosed. These entries on the Breach Report are often included in breach notification “statistics” even though there is a very low probability of them being data breaches.

Analyzing HIPAA Violation Email Examples

Using the above distinction between data breaches and HIPAA violations, it could be argued that mistakenly sending PHI to an unauthorized individual – or neglecting to use the BCC function when sending a bulk email – is an accident rather than a violation. However, the frequency with which this happens should alert covered entities to the risk of a data breach – who should implement measures to mitigate the risk “to a reasonable and appropriate level”.

The same could be said about the hundreds of data breaches attributable to phishing. In many cases (currently 381), the reports accompanying the entries in the Data Breach Archive state workforces received retraining on email security following a data breach. This implies there was a failure to adequately train members of the workforce on email security prior to the data breach. In some cases, the same comment appears several times for the same covered entity!

The Top 5 HIPAA Violation Email Examples

Compiling a “Top 5” HIPAA violation email examples from only HHS’ Breach Report can lead to inaccuracies. This is because only breaches affecting more than 500 individuals are posted on the Breach Report. There are around 600 data breaches affecting 500 or more individuals each year, whereas there are more than 60,000 data breaches affecting fewer than 500 individuals each year. From the data available, these are the Top 5 HIPAA Violation Email Examples:

Failing to train members of the workforce on email security

As mentioned above, there are currently 381 cases in which members of the workforce received additional HIPAA training following a data breach affecting more than 500 individuals. It is worth noting that these cases represent less than 10% of all data breaches.

Sending emails containing PHI to unauthorized individuals

HHS’ Breach Report does not distinguish whether these data breaches are attributable to genuine accidents or malicious insiders. Covered entities need to be prepared for both types of events and implement measures (i.e. DLP tools) to prevent them.

Neglecting to use the BCC function when sending a bulk email

Although this type of violation appears frequently in the Breach Report, it may not be a violation in all cases because email addresses by themselves are not PHI. In theory, covered entities could be sending breach notifications when no breach has occurred.

Failing to enter into a Business Associate Agreement

The failure to enter into a Business Associate Agreement when PHI is disclosed to a software vendor is a violation of HIPAA – even if the vendor cannot see PHI in emails because it is encrypted. The reasons why an Agreement is necessary are discussed in this HHS FAQ.

Failing to terminate access to email accounts and data storage drives

The Security Rule (§164.308(a)(3)) requires covered entities and business associates to terminate access to email accounts and data storage drives when a member of the workforce leaves the organization. There are several cases where this has not happened.

So-Called Email Violations are Not Necessarily Violations

In the context of HIPAA violation email examples, several sources “create” violations with the objective of selling a product. The biggest example of this practice is email encryption – which, although required by the Technical Safeguards if PHI is sent from provider to provider, is not necessary if a patient has requested, consented to, or authorized an unencrypted email, or if a patient has initiated a conversation via unencrypted email.

To avoid unnecessary expenses, integrations, configurations, and workforce training, covered entities and business associates should review the requirements of the Administrative Simplification Regulations as a whole rather than comply with standards in isolation. Covered entities and business associates that require assistance with HIPAA compliance are advised to seek advice from an independent compliance professional.