Emailing Plain-Text Medical Billing Info Across The Internet

If I saw someone emailing files that contained the following data across the Internet in plain text as an attachment, should I mention to them any possible legal challenges they’re likely to run into?

Name
Full Address
Date of Birth
SSN
Intake Date
Discharge Date
Balance Due

I’m thinking HIPAA violations, but I haven’t read HIPAA’s full text.

For the record, this is NOT ME. I just saw someone doing this, and I wanted to say something, but not before I knew the law cared about this.

Perhaps print a copy of this and drop it on their desk.

According to a seminar I attended last week, the HIPAA guidelines for electronic data don’t go into effect until April, and we haven’t even received them yet at my institution. The current HIPAA guidelines cover electronic material to some extent, but I’d wager it doesn’t cover anything like “don’t send unencrypted, plain text data via E-mail.”

Duckster,

I surfed some links on that page and hit one that said:
"Q: May a physician discuss information about a patient’s treatment with other physicians using e-mail?

A: Yes. Physicians may use any method of communication — including e-mail, oral conversations, written letters, or other methods (including sending facsimiles) — so long as the physician uses “reasonable and appropriate safeguards” to protect the communication." ---- http://www.ama-assn.org/ama/pub/category/11567.html#g4

Wow. What is uncertain is whether or not the individual we’re discussing is breaking the law. What is certain is that this individual needs to consult a lawyer or regulator competent to advise him in this area of the law.

I’ll advise this individual to seek counsel if he did not already research this law in detail.

Wow. So this practice is de facto legal until April. Of course, there’s civil liability if there are losses incurred and the court finds the practice negligent… but that’s another ball of wax.
I had expected someone doing something like this to provide for HTTPS upload and download, or public-private key encryption of the records in transit.

I’m not sure there is any confidential data mentioned in the OP, aside from the SSN. Are the intake and discharge dates considered confidential? I suppose they might, since the patient may not want others to know he’s been in the hospital.

There is no record of actual medical details, no. There’s some insurance data, too, but the fact that I’m covered under Anthem/BCBS is hardly sensitive.
My concern was the presence of Address, Name, SSN and DOB all in one file. Kinda’ creeps me out.

I think the wording in the AMA’s statement on this hinges upon what’s considered “reasonable.” I suspect that currently, your average physician doesn’t know of the vulnerability of plain-text E-mails. Since I won’t be getting any information on the electronic data policy until right around the time it’s supposed to take effect, I don’t know what the specifics on this issue are or will be.

Actually, after more poking around on their website, I found a quote at http://www.ama-assn.org/ama/pub/category/11830.html

(ePHI = electronic Protected Health Information)

Hell if I know what that actually means, though.

Hmm, the government’s Center for Medicare and Medicaid Services came up with this response:

A similar question about whether encryption will be required says no, that it is something that can be implemented should it seem feasible and necessary. I think. And people wonder how HIPAA violations can occur, when we have to wade through explanations like that… :smack: (Not that some aren’t blatant, mind you.)

You’d be surprised what’s considered to be Protected Health Information. This includes name, address, any dates (even date of service) with the exception of a year alone, city, state, zip code, county, any phone/fax numbers, E-mail address, SSN, any license numbers, any serial numbers (like the serial number on your pacemaker, for instance), any medical record or insurance numbers, photo of your full face, fingerprints or other biometric data, and - get this - any kind of code that could in any conceivable way be linked to you. Any single one of those pieces of info is Protected Health Information under HIPAA.

So if one person on the other side of the planet has a list of codes and the names associated with them, and will not under pain of torture disclose those identities to anyone except for one particular doctor, that code number is considered to be your “Protected Health Information.” This really messes with us researcher types, as sending data for a nationwide study to a central database is considered to have all sorts of PHI even if it’s just linked to some plain code numbers instead of names.

Ok. Looks like this individual IS violatiing the law, unless the regulators in question are in his pocket.