Just when health insurers thought they made it through the April 14 HIPAA-compliance deadline in one piece, a study conducted by Dallas-based Zix Corp.'s ZixResearch Center reveals that 35 percent of the nation's top 60 health insurers (ranked by number of members and covered lines) continued to transmit information via plain-text e-mail after imposition of the HIPAA requirement that such information be transmitted in an encrypted manner.
The alarming fact, according to Zix Corp. (which is a provider of secure e-messaging services), is that the high volume of protected health information (PHI) that was sent via unencrypted e-mail probably is not a result of insurers ignoring the deadline for compliance.
Some organizations found to be sending unencrypted e-mail traffic actually had implemented a variety of technology solutions, and also relied on directives to employees or internal policy-only solutions, or some combination of these measures, according to Daniel S. Nutkis, vice president of strategy, Zix Corp., who contends that these findings show that health insurance companies may be under the impression that they are in compliance with HIPAA regulations even when they are not.
However, the study also reports that many payors are up to speed on the HIPAA e-mail transmission requirements. A separate Zix Corp. study indicates that, post-April 14, there has been a reduction in the percentages of e-mail containing PHI sent without encryption.
But what if your organization is not within the compliant-majority? Evidence of non-compliance is created each time a health organization sends an e-mail containing PHI without the appropriate safeguards to another party, warns Nutkis. These records may reside indefinitely on a recipient's e-mail servers or in its archives, and may be used as evidence of noncompliance. Health carriers and other health organizations that do not follow HIPAA regulations could be subject to criminal and civil fines, as well as general civil liability from lawsuits.
Slow To Adopt
The Zix Corp. study also analyzed 100 US healthcare chains and health systems. Of the 100, 53 had transmitted PHI via plain-text e-mail. One reason health carriers are somewhat ahead of these healthcare organizations when it comes to compliance, speculates Nutkis, could be "that health systems and health chains have been slower than health insurers to adopt the appropriate safeguards for verifying compliance with their corporate policies."
In order to ensure successful implementation of safeguards, Nutkis-who contends "little post-implementation validation is taking place"-suggests that health organizations perform assessments either quarterly or annually.
The study analyzed a sample of more than 4.4 million e-mail messages sent and received by more than 7,500 healthcare organizations-representing the inbound and outbound traffic for approximately seven days for each of the audited organizations-to determine what percentage of such messages contained PHI. The results are based on aggregated statistics derived from information captured during routine customer-commissioned audits by ZixAuditor, Zix Corp.'s e-mail assessment service.