By Elizabeth Litten and Michael Kline
Many Covered Entities (CE) and Business Associates (BA) (and now, Subcontractors (SC) as well) are using a variety of approaches to limit exposure to liability and the potentially dire consequences associated with security breaches of Protected Health Information (“PHI”). Recently, we have noticed “PHI Warnings” in email and facsimile transmissions, by which CE, BA, or SC warn unintended recipients not to transmit or re-send PHI to third parties. Such PHI Warnings are being routinely used by hospitals, providers, health insurers, law firms and others that create, receive, maintain, or transmit PHI. Such PHI Warnings should be used and worded with caution, however.
For example, instructions such as the following sample may be found at the bottom of a CE’s email transmission:
Email Confidentiality Notice: The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately by replying to this email and deleting this email and any attachments from any computer.
Unfortunately, if an unintended (or unprepared) recipient of such PHI reads this message and follows the sender’s instruction by “replying” to the email, such recipient could be unintentionally perpetuating or re-publishing the breach. Particularly in a case where the original email was sent to a number of recipients, a “reply” could easily become a “reply to all” and have the effect of re-sending (and announcing) PHI to new unintended third parties. Such a result could make it much more difficult for the original sender to ascertain the total scope of the security breach in its subsequent remediation and compliance efforts.
Moreover, such PHI Warnings should only be used in the context of overall HIPAA/HITECH policies and procedures of the sender. For example, if the unintended recipient were a BA or SC of the sender, the attempt to comply with the sender’s instructions could actually conflict with, and result in a breach of, the parties’ Business Associate Agreement (“BAA”).
The following sample avoids the problem described above by providing an alternative method of notifying the original sender but perhaps may still be “too little, too late,” as a serious PHI security breach may have already occurred:
This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of ______________ and the recipient(s) named above. If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately at 800-xxx-xxxx and permanently delete this email and any attachments.
Finally, if PHI is sent to a recipient prior to the parties’ execution of a compliant BAA and implementation of policies and procedures to protect PHI properly, a PHI Warning is unlikely to mitigate the liability of the sender (or recipient) for a security breach under HIPAA/HITECH.