Question

Protecting Health Care Privacy

The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among other things) the privacy of health information. Its Title 2 regulates the use and disclosure of protected health information (PHI), such as billing services, by healthcare providers, insurance carriers, employers, and business associates

Email is often the best way for a hospital to communicate with off-site specialists and insurance carriers about a patient. Unfortunately, standard email is insecure. It allows eavesdropping, later retrieval of messages from unprotected backups, message modification before it is received, invasion of the sender’s privacy by providing access to information about the identity and location of the sending computer, and more. Since healthcare provider email often carries PHI, healthcare facilities must be sure their email systems meet HIPAA privacy and security requirements.

Children’s National Medical Center (CNMC) of Washington, D.C., “The Nation’s Children’s Hospital,” is especially aware of privacy concerns because all such concerns are heightened with children. CNMC did what many organizations do when faced with a specialized problem: rather than try to become specialists or hire specialists for whom the hospital has no long-term full-time need, it turned to a specialist firm.

CNMC chose Proofpoint of Sunnyvale, California, for its Security as a Service (SaaS) email privacy protection service. Matt Johnston, senior security analyst at CNMC, says that children are “the highest target for identity theft. A small kid’s record is worth its weight in gold on the black market. It’s not the doctor’s job to protect that information. It’s my job.”

Johnston explains that he likes several things about the Proofpoint service:

● “I don’t have to worry about backups.” Proofpoint handles those.

● “I don’t have to worry about if a server goes down. [If it was a CNMC server, I would have to] get my staff ramped up and bring up another server. Proofpoint does that for us. It’s one less headache.”

● “We had a product in-house before. It required several servers which took a full FTE [full-time employee] just to manage this product. It took out too much time.”

● “Spam has been on the rise. Since Proofpoint came in, we’ve seen a dramatic decrease in spam. It takes care of itself. The end user is given a digest daily.”

● Email can be encrypted or not, according to rules that the end user need not be personally concerned with.

● “Their tech support has been great.”

Proofpoint is not the only company that provides healthcare providers with email security services. LuxSci of Cambridge, Massachusetts, also offers HIPAA-compliant email hosting services, as do several other firms. They all provide the same basic features: user authentication, transmission security (encryption), logging, and audit. Software that runs on the provider’s computers can also deliver media control and backup. Software that runs on a user organization’s server necessarily relies on that organization to manage storage; for example, deleting messages from the server after four weeks as HIPAA requires.

As people become more aware of the privacy risks associated with standard email, the use of secure solutions such as these will undoubtedly become more common in the future.

Discussion Questions

1. What privacy concerns does transmitting healthcare information via email raise?

2. What requirement does HIPAA institute to safeguard patient privacy?

Critical Thinking Questions

1. Universities use email to communicate private information. For example, an instructor might send you an email explaining what you must do to raise your grade. The regulations about protecting that information under the Family Educational Rights and Privacy Act (FERPA) are not as strict as those under HIPAA. Do you think they should be as strict as HIPAA’s requirements? Why or why not?

2. How does Proofpoint safeguard patient privacy? Could Proofpoint do the same for university and corporate emails? Why or why not?

Answer 1

Discussion questions

1. Even though standard email is the better there is an issue of eavesdropping, retrieval of emails from unprotected backup’s, message can be modified before even it is received, also does not safeguard sender’s privacy

2. To safeguard the privacy of the patient HIPAA regulates the use and disclosure of health information like, billing services, healthcare providers, insurance carriers, employers and business associates.

Critical thinking

1. Yes, it is better to be as strict as possible. Whether it’s HIPAA or FERPA both will have the privacy information and it becomes the duty to maintain the data security of any institute. When you are using the emails as a mode of communication it becomes very easy for the people to hack the information of people especially when it comes to FERPA it contains the information of the family members and a lot more information about them. Taking an example when an instructor sends an email explaining what needs to be done to enahance the grade, protecting that information from others is important. It is one’s personal information and others should not know. If somebody changes the information in the email even before it is received it may mislead the recipient. When the emails are being sent with these information it becomes extremely dangerous to lose out the data and it has to be restricted from a third party being viewed. Hence it is very important to be strict on managing the information.

1. I strongly believe all the universities and corporates should implement proof point facilities. Proof point provides security to email services. Since most of the organization’s \ institute strongly believe in email as the mode of communication. Especially when corporates deal with email on any information they cannot afford to lose out on the privacy data and if anything missed it becomes difficult for the company to stay in the market as well. If they implement proofpoint service it provides below services,

   1. It protects you from SPAM

   2. They provide emails encryption services which helps in preventing people to try modify the email data even before it reaches the recipient inbox.

   3. Companies need not worry about server management. Even when the server goes down, proofpoint takes care of the server management

   4. Proofpoint handles the backup

   5. It ask for user authentication and also does the Audit by itself

Hence it is strongly suggested to have the organization’s \ institute to use proofpoint as a basic service