Q&A: Assessing the risk of unencrypted email

Q. We recently became aware that several emails containing PHI were sent to an email address that was terminated. The emails were bouncing back to us and then were caught in our spam filter. The email address belonged to a physician office that changed its name and subsequently updated the domain name from which emails are sent. Most of the emails sent to this address were encrypted, but one was not. Do we need to report this even though the email was never opened?

A. You need to conduct the four-factor risk assessment required by the HIPAA Breach Notification Rule following a complete and documented investigation. In this case, it may be assumed that because the email was essentially returned unopened, there was a low risk of compromise, therefore requiring no notification. As with all security incidents, especially when there may have been a breach of unsecure PHI, the incidents need to be investigated and the investigation itself documented.

Editor's note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon.This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.