January 28, 2019 begins National Clean Out Your Inbox Week, as challenged to all email users by Marsha Egan, author of Inbox Detox and the Habit of E-mail Excellence. This challenge was first posed by Egan in 2007.
Email is a powerful tool for any business, including healthcare, as it can be leveraged for documentation, coordinating tasks and to-do lists, quickly disseminating information, and stands as evidence in legal proceedings. Yet, email can quickly overwhelm businesses, even when 86% of all professionals prefer email as their means of communication. As 2018 statistics are not yet available, 2017 showed 269 billion emails sent and received each day.
The staggering volume alone presents its own challenges in terms of spam filtering, storage space, and productivity of staff working through legitimate emails. The healthcare field has the obvious addition of security in transit and at rest through encryption and other technical safeguards as well. But one more challenge lurks within the email files of covered entities, business associates and subcontractors: old PHI (Protected Health Information).
HIPAA includes the Minimum Necessary Requirement, a part of the Privacy Rule, which enforces that Protected Health Information (PHI) should not be used, accessed, stored or disclosed when not necessary for a particular job function by a healthcare worker. A key aspect that healthcare professionals also need to adhere to is the requirement to remove that access if the PHI is no longer needed.
Cleaning your email of unnecessary Electronic PHI (ePHI) on a regular basis is important to maintain compliance with HIPAA. Bear in mind this is not just your Inbox, but any subfolders as well as Sent Items and the Trash or Deleted folders. Unfortunately, there is no easy way to search for or identify all ePHI within email. It could reside in attachments or within the body of the email itself. Manually inspecting email for ePHI that is no longer needed is often the only true way to find items that automated searches will miss.
Another key aspect of inspecting email is to remove detailed instructions for connecting to remote systems, and user accounts and passwords. These items should be stored per your work environments policies and procedures, but hopefully within a secure password manager or similar software. The danger of leaving them within email is the risk of potential unwanted exposure. It’s all too easy to forward an email to an incorrect recipient, or forward the wrong email altogether.
Be sure to know and follow any potential policies or laws regarding data retention too, as certain regulations may require keeping certain information. This is required under HIPAA for reporting of PHI disclosures, if requested by an individual.
When destroying data, it’s also important to follow your policies and procedures on proper methods to ensure the data cannot be recovered successfully. When dealing with digital data and destruction, the process is a bit more complex than emptying a Recycle Bin folder. Simply deleting data may not ensure secure deletion, and there is a substantial difference between the two.
Secure deletion is the process of overwriting the data at multiple times with garbage 1s and 0s and random characters intentionally to prevent recovery, whereas deletion is simply ear-marking the data on the drive as free space, to make room for new data when needed. Recovering regularly deleted data can be trivially easy, unfortunately, so it’s important to understand what methods are required before deletion of email.
The final note regarding cleaning email is to consider where you might have access to email.
- Is there still Outlook on an old computer with corporate email, which should have been removed when you got a new computer?
- Do you have a mobile app on an old phone or tablet that you no longer use, or have given to another member of your household?
- Was your email account still on a device that has a broken screen and would possibly be recycled?
All the above scenarios are potential HIPAA violations, and must be addressed properly to keep you and your company/employer in compliance with state and federal laws.
Keep yourself and your employer in the clear, and ultimately the patients for which you care(d), by taking the opportunity this week to critically look at your email, your policies and applicable HIPAA requirements. Reach out to the security team at your place of employment if you have any questions about cleaning up your inbox or need clarification on your policies, procedures or best approach for completing this task.