Hello and welcome to episode 401 when email goes awry how to prevent the most common source of HIPAA breaches.
We just gave away of a part of what has made us decide to talk about this topic by the title of this episode which is that. Emails going awry are truly the most common source of breaches of an unauthorized use or disclosure of protected health information that we see in the mental health private practice. Landscape and particularly in the group practice context so we wanted to delve into that a bit because there are a lot of things that you can do both in terms of configuration settings. Ah that kind of lock. Things down and make certain types of email going awry breaches completely preventable and then some other behavioral measures and policy and procedure components that when um, you know what. Rolled out first of all in place of course existent but also rolled out and your team being trained on can really go a long ways towards preventing the other types of email gone awry breaches. So we’re going to unpack all of that a bit.
And we’ll start with the one that is the most common breach cause that Pct has seen occur in in group practices and the most common. Oh no. Something happened. What do I do is this a breach. How do I mitigate it. How do I manage it what now? ah source of question that that we get and that is related to Bcc going Awry and being sent instead as a cc so carbon copy instead of a blind carbon copy and what happens when a carbon copy is sent is that everyone in that recipient field is able to see all of the other. Recipients and now why would this be HIPAA problematic Evan.
Oh why? Yeah well some folks don’t think email addresses are PH either. They’re like they won’t know each other turns out, it’s totally PH I Um, regardless if it’s someone’s explicit name in there. Their email address. Is there identify her and so seeing everyone else’s is like having your client list exposed to your whole client list.
Exactly and ah, that is the case whether or not it is the contents of the email are a generic um you know announcement that you want to be making to. All currently active clients of the practice something like hey. Ah, it’s the beginning and of a new year time to update your insurance information if it’s changed or our practice is going to be closed due to inclement weather, so we’re shifting to virtual. Those are some of the reasons that have kind of most commonly occurred that have led practice leadership to want to and need to send out a notification to to all active clients. Ah which of course if you’re sending those individually. Is going to be a time consuming process. However, it is far more time consuming if you use bcc.
And it goes awry and gets sent as cc and therefore is exposing like Evan said essentially your whole client list and and that then is an unauthorized disclosure of protected health information which is another way of saying a breach.
And that is something that needs to be reported both to the impacted individuals and to the office of civil rights the HIPAA administrators and regulators. So we really really want to avoid that occurring and. Ah, having a ah process or having your policy be. We only use blind carving copy. We only use Bcc we never use. Cc is not sufficiently preventative of of this occurring we have seen. Not only.
Many breaches be caused by this but ah have you even seen breaches that constitute a large breach occur because of this now what makes something a large breach Evan?
Um, yeah, oh it’s if you have over 500 people Four ninety Nine small breach 500 large reach.
Yes, and the implications of having a large breach versus a small breach are pretty significant. Um for a couple reasons one and this is just purely in the hipaa context not as much in that.
Impact to practice reputation and and so on category which of of course is also a factor when you have to notify clients that there was’ an an authororized usur disclosure of their ph I but in the hipaa process terms the implications of having a large breach are. That the reporting timeframe is much shorter than for a small breach meaning that you’re going to have to kind of expedite the breach investification documentation notification and reporting. Ah, process which also means that you’re less likely to be able to address any compliance issues that are present in your practice that really should be addressed and that they’re being addressed. Something that’s reflected in the breach report form that you file with the the ocr. Um, so the timeframe for a large breach is that you have sixty days to notify the office of civil rights. And file your breach report. Um, ah, that’s your maximum whereas with a small breach you have sixty days after the calendar end.
The year end of the calendar year in which the breach was discovered to have occurred so big big difference on on that front and then the other really significant thing with a large breach.
Is that you not only are having to report it to the Ocr and notify all impacted individuals but you also need to place a notice with local media. Wherever. Ah, impacted individuals reside which is not something anybody wants to have to do so hopefully we’re painting a compelling picture here as to why? the the potential cost saving benefits in terms of time.
Of using Bcc are not worth the impact and all of the negative consequences of it going awry so that brings us to what does the policy on bcc. Need to be Evan.
Don’t just don’t don’t It’s like any Cc We don’t even don’t even try to no don’t be clever, never never never ever.
Never ever Yes, never never ever and that is something that ah unfortunately needs to be primarily managed purely through policy and procedure. And training folks on that behavioral process right of of not trying to take the you know, efficient shortcut to managing something and ah to only. Do it in such a way that is certain to be keeping protected Health information. That’s the responsibility of the practice to safeguard a safeguard now. There are some solutions for how to. Send those mass notifications to existing clients or to whatever recipients you want and need to be sending such a communication to where those risks are not present and that solution is to be using a. Hipaa Friendly email newsletter service. Ah constant contact is the most economical one for getting ah a hipaa business associate agreement in place and ah, that also solves a lot of other conundrums.
Related to email marketing and and newsletters. Um and having a mix of clients and non clientents on your newsletter list. We can devote a whole other podcast episode to to that topic and I think we will in this this current podcast season but just to say there is real benefit to having a HIPAA friendly email campaign. Service in your group practice. Um above and beyond just managing the prevention of the bcc gone awry issue and ah. Also addressing the the fact that if you need to be sending those mass communications. It would be very time consuming and tedious to be doing so one by 1 um, and so we understand why there is temptation for folks to just use bcc. But the best way to address this is to have your prohibition on Bcc policy in effect and then to have a system that provides the functionality that you need and is providing it simultaneously The Hipaa Security. Compliance and and meeting HIPAA needs which primarily here is then going to be having a HIPAA business associate agreement with the service provider. That’s handling that email campaign service. So just to reiterate.
The main takeaway I want everyone to have is never ever for any reason use Bcc from your practice email if the email communication involves any client recipients. It is a different matter. Of course if we’re talking about um, care coordination and communicating with other providers. Ah you can can use cc there. Um. You know with with some caveats. But if client communication is involved never ever try to use Bcc and cc is also never an option. So ah, but emblazon that in into the processes that that your team is aware of and you know again part of why we’re highlighting This is just because we’ve seen this play out so many times and generate a lot of stress and want to be able to kind of. Spread spread the word evangelize a bit about um why this is such an important issue to hopefully be able to prevent other practices from going through that that process and stress there are a couple other primary areas where email can go Awry and one of those that ah comes up more often than you would think is that staff members workforce of a practice will set up their practice email to Auto forward to their personal email. Um, and fortunately though this is something that can be prevented and managed not just on a policy level so behavioral measures but also through technical measures and just changing some configuration settings in your practices email service um in order to prevent this Evan can you share a little bit about what that entails.
Yeah, totally so Google admin is your window to changing your settings for google workspace now this applies to everyone who has Google workspace and it might apply to those if you using say Microsoft or some others but I can’t speak to that but I can speak to Google. So you can change the settings under sort of the usage abilities for people under gmail the app there and we actually have a guide on this on our Google help center on how to disable email forwarding which is lovely and we’d looked and dug and tried to see if you could disable bc and cc. Ah, you can’t so that’s going to have to be a behavioral switch but you can disable people’s ability to email forward delegate and those types of things as an admin. So. That’s that’s real handy to turn it off.
Exactly because of course the the issue with that is then that protected health info that is the practices responsibility for safeguarding. Is being taken outside of the practices security circle where you have access and control and can make sure that it’s being managed in hipaa consistent ways the moment that emails get taken from the practices email service. Into one of your team members personal email services. Um, it’s outside your security circle. So that’s a a HIPAA. No go. So I know the the majority of our listeners are Google Workspace users so we will include in the show notes the link to our free Google configuration help center which has that step by step little video tutorial on disabling the email auto forward within your Google workspace organization. So. Definitely good to take that that step. Um because then it’s it’s not an issue that can arise and we always love it when there is a nice technical solution that just prevents something from even potentially being being an issue.
All right? The other piece that comes up most most commonly in terms of email going Awry and leading to breaches is when an email is misdirected um and typically this is something that comes up when clients have similar names or maybe same first name or same last name um or a similar email address and this is not something unfortunately that can be addressed by. Technical measures. It’s reliant on behavioral measures and so what those consist of which are are really important and are I should say as well reflected in Pct’s template policy and procedure materials for group practices and addressed in the workforce security manual as well and that is that data entry when sending emails to to clients. Needs to be double checked prior to clicking send and and this is the the most important part of it that you do not permit folks to be using the auto fill suggestion. Ah, for who the recipient of a message should be and this is really where the primary source of misdirected emails will will come up is that if someone has a similar name. Or similar email address and you just start typing the first first part of it. Um that the suggestion could very well be not the recipient who you actually want to be sending it to and a different client. Or so different contact in your contacts list and then suddenly you you click send and realize oh no, that’s not the John Smith I meant to be sending it to and ah and now I have to ask the recipient to delete it and notify the correct John Smith and ah, what a what a hassle and and even though if it’s just 1 recipient. That’s a small breach so doesn’t have a kind of compressed timeframe.
First fifty fifth
For Breach reporting or the media notice that goes along with a large breach. It’s still impactful and still something that we really want to avoid occurring So um, making sure that folks know that they. Need to not be using the autofill suggestions for recipients and double checking their data entry prior to clicking send is very helpful I will share too that.
And within Google workspace and Gmail the delay send option. Ah where you have a thirty second window to undo a send can can also sometimes save folks, and I do recommend having that in place. I want to be clear that the way that works isn’t that it actually pulls it from the recipient’s inbox the um Undo send is basically under the hood. What’s happening is they haven’t sent it.
There’s there’s a delay where it’s held in a a queue. Ah, once you click send and if you click undo within that short little window before it actually leaves the queue and is sent out across the the internet to the recipient. That’s how it it gets recalled. Of course we don’t want to be relying on that for managing misdirected emails but it’s still useful to to have in Place. So I Also recommend having having that as an additional backup. And more likely than not when you’re going to be utilizing that will be when you’re messaging team members. Um, and and your internal communications I’ll say the most frequent reason that I end up using it is because I. Said I’ve included an attachment and I didn’t actually attach all the files and then will undo and add the the missing attachment. Um, but yes, are there.
Any other main email tips. Ah for preventing email going awry that that you would like to share with folks Evan or that you think we’re.
Yeah I think just even addressing some for the email mystery but common misconceptions on how you know a footer saying this isn’t HIPAA compliant isn’t HIPAA sufficient for email thinking you can get out of it easily. Anytime you use a tool be it email or anything else and feel like you found a clever trick or workaround. Maybe that’s a red flag that you haven’t and it just needs a little bit more thought and has a little bit more nuance. So when in doubt, if you think there’s something clever going On. Maybe do it The slow old fashioned way that might be a little laborious but will really save you in the long run so more that just abandon cleverness.
Ah yes, ah in in in this application that is is very much the the best way to proceed and it it pairs with a ah larger approach for what. Makes for a successful practice and by successful practice I’m primarily meaning one that has its functionality and security needs met and um. Is able to operate efficiently and cost effectively as a result and a big foundational piece of what makes that possible is having the right tools that that meet your needs and. So when we’re talking about email that’s going to be ah, an email service provider with whom you have a b a and ah then that you use it in the right way and that’s going to involve some settings configurations. But then also making sure that all of your workforce who are utilizing that that email service um are trained on how they need to be using it right? because 1 1 thing that we emphasize a lot is that.
Compliance is a process not a product so there are 2 pieces in an equation for what makes email HIPAA compliant. Ah, and that’s not just. Having a BAA with the email service provider. It’s also that you’re using it in the the right way and not using it in a way that creates ah unauthorized use or or disclosure you need both pieces in place and of course with email. If we’re using conventional email. There’s another ah kind of formula for what makes it HIPAA consistent which is one that you have that b a with the email service provider and then two that you obtain the request for non-secure communications. From clients or prospective clients prior to utilizing that that email. Um and that’s not something that waives the b a requirement with your email service provider as we’ve we’ve said many times before um. And and that’s something that we see kind of more more frequently come up as a misconception that gets applied in smaller practices less less common in the group practice context.
Ah, but it’s also something to be mindful of as a group practice leader because your clinicians may have come from a background or practice setting where that isn’t something that they are aware of so. Having your your team train and aware of the request for non-secure communications and what the what the practices Hipaa appropriate platforms are for using and what the corresponding processes and usage need to be. Is really the the recipe that is the key to success in this area that really translates to all the other aspects of practice optimization and and fortification and and Hipaa compliance in general right. That there’s the the right tool that you use there are the ways that you can figure that tool but then a lot of policy procedure training and behavioral and we want all those pieces to come together. So Hopefully this has been helpful for for you and identifying where there’s potentially some room for improvement in managing your practices email usage.
We’re just making sure that that one of these instances of of email going awry don’t occur within your practice in 2024 so happy and secure emailing everybody.
Yeah, exactly. All right bye. Everybody.
And we will see you good folks next time.
PCT’s Director, Liath, and Senior Consultant, Evan.
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we talk about ways to prevent HIPAA email breaches in a group practice setting.
We discuss common email-related breaches we see for group practices; email and PHI; large vs. small breaches; the implications of having a HIPAA breach; policies and procedures to mitigate email errors; how to send mass client notifications securely; settings to have in place in your email service; and what makes an email service HIPAA compliant.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
- PCT’s Google Workspace Configuration Learning Center (see part 9, ‘the sharing and the forwarding’, for tutorial on managing forwarding settings)
- Free CE course: Introduction to HIPAA Security for Group Practice Leaders (1 legal-ethical CE course)
- OCR Breach Report Questions — know the contents of what is asked/what you need to provide *before* starting the breach report in the OCR’s online portal for breach reporting
- CE course: HIPAA Security Incidents & Breaches: Investigation, Documentation, And Reporting (1.5 legal-ethical CE credit hours)
- Group Practice Care Premium for weekly (live & recorded) direct support & consultation, Group Practice Office Hours, with the PCT team + Eric Ström, JD PhD LMHC (monthly)
- PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials — comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently **includes policy prohibition on use of BCC and CC; workforce forwarding emails from their practice email account to personal email account; data entry checking/not using autofill suggestions for recipients — the P&P components that address the email gone awry situations we discussed in the podcast episode
- Policies & Procedures include:
- Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.
- Computing Devices and Electronic Media Technical Security Policy
- Bring Your Own Device (BYOD) Policy
- Communications Security Policy
- Information Systems Secure Use Policy
- Risk Management Policy
- Contingency Planning Policy
- Device and Document Transport and Storage Policy
- Device and Document Disposal Policy
- Security Training and Awareness Policy
- Passwords and Other Digital Authentication Policy
- Software and Hardware Selection Policy
- Security Incident Response and Breach Notification Policy
- Security Onboarding and Exit Policy
- Sanction Policy Policy
- Release of Information Security Policy
- Remote Access Policy
- Data Backup Policy
- Facility/Office Access and Physical Security Policy
- Facility Network Security Policy
- Computing Device Acceptable Use Policy
- Business Associate Policy
- Access Log Review Policy
- Forms & Logs include:
- Workforce Security Policies Agreement
- Security Incident Report
- PHI Access Determination
- Password Policy Compliance
- BYOD Registration & Termination
- Data Backup & Confirmation
- Access Log Review
- Key & Access Code Issue and Loss
- Third-Party Service Vendors
- Building Security Plan
- Security Schedule
- Equipment Security Check
- Computing System Access Granting & Revocation
- Training Completion
- Mini Risk Analysis
- Security Incident Response
- Security Reminder
- Practice Equipment Catalog
- + Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures
- + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.
- Policies & Procedures include:
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.