Protecting Health Care Privacy
The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among other things) the privacy of health information. Its Title 2 regulates the use and disclosure of protected health information (PHI), such as billing services, by healthcare providers, insurance carriers, employers, and business associates
Email is often the best way for a hospital to communicate with off-site specialists and insurance carriers about a patient. Unfortunately, standard email is insecure. It allows eavesdropping, later retrieval of messages from unprotected backups, message modification before it is received, invasion of the sender's privacy by providing access to information about the identity and location of the sending computer, and more. Since healthcare provider email often carries PHI, healthcare facilities must be sure their email systems meet HIPAA privacy and security requirements.
Children's National Medical Center (CNMC) of Washington, D.C., "The Nation's Children's Hospital," is especially aware of privacy concerns because all such concerns are heightened with children. CNMC did what many organizations do when faced with a specialized problem: rather than try to become specialists or hire specialists for whom the hospital has no long-term full-time need, it turned to a specialist firm.
CNMC chose Proofpoint of Sunnyvale, California, for its Security as a Service (SaaS) email privacy protection service. Matt Johnston, senior security analyst at CNMC, says that children are "the highest target for identity theft. A small kid's record is worth its weight in gold on the black market. It's not the doctor's job to protect that information. It's my job."
Johnston explains that he likes several things about the Proofpoint service:
? "I don't have to worry about backups." Proofpoint handles those.
? "I don't have to worry about if a server goes down. [If it was a CNMC server, I would have to] get my staff ramped up and bring up another server. Proofpoint does that for us. It's one less headache."
? "We had a product in-house before. It required several servers which took a full FTE [full-time employee] just to manage this product. It took out too much time."
? "Spam has been on the rise. Since Proofpoint came in, we've seen a dramatic decrease in spam. It takes care of itself. The end user is given a digest daily."
? Email can be encrypted or not, according to rules that the end user need not be personally concerned with.
? "Their tech support has been great."
Proofpoint is not the only company that provides healthcare providers with email security services. LuxSci of Cambridge, Massachusetts, also offers HIPAA-compliant email hosting services, as do several other firms. They all provide the same basic features: user authentication, transmission security (encryption), logging, and audit. Software that runs on the provider's computers can also deliver media control and backup. Software that runs on a user organization's server necessarily relies on that organization to manage storage; for example, deleting messages from the server after four weeks as HIPAA requires.
As people become more aware of the privacy risks associated with standard email, the use of secure solutions such as these will undoubtedly become more common in the future.
Discussion Questions
1. What privacy concerns does transmitting healthcare information via email raise?
2. What requirement does HIPAA institute to safeguard patient privacy?
Critical Thinking Questions
1. Universities use email to communicate private information. For example, an instructor might send you an email explaining what you must do to raise your grade. The regulations about protecting that information under the Family Educational Rights and Privacy Act (FERPA) are not as strict as those under HIPAA. Do you think they should be as strict as HIPAA's requirements? Why or why not?
2. How does Proofpoint safeguard patient privacy? Could Proofpoint do the same for university and corporate emails? Why or why not?