Q&A: Unencyrpted emails sent to correct recipient

Q: Is it a reportable breach if an entity had the ability to send encrypted email, but an unencrypted email was sent to the correct recipient because of a computer fluke or user error?

A: No, it’s not a reportable breach. While it’s important to encrypt any PHI sent over the internet, if an email is sent to the right person and you have no evidence it was intercepted, it’s not necessarily a breach or compromise of the PHI. It may be a reportable breach if the email was sent to the wrong person. That would be determined after conducting the four-factor risk assessment found in the HIPAA Breach Notification Rule.

Editor’s note: Question answered by Chris Apgar, president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.