October 1, 2020

QUESTION:        We unintentionally sent an unencrypted email containing Protected Health Information (“PHI”) to the wrong person, who is a business associate.  Is sending an unencrypted email a HIPAA breach?

ANSWER:          No.  The HIPAA Rules that come into play here are the Privacy Rule and the Security Rule.  HIPAA defines “breach” to mean the acquisition, access, use or disclosure of PHI “in a manner not permitted under [the Privacy Rule]….”  So, a “breach” can occur only if the Privacy Rule is violated – Security Rules violations are not “breaches” – and merely sending an unencrypted email containing PHI, without more, does not violate the Privacy Rule (however, sending an unencrypted email could possibly violate the Security Rule, since it has standards that discuss encryption).

Alright, since a “breach” did not occur by sending an unencrypted email, did a HIPAA “breach” occur when the email was sent to the business associate?  The answer is “no” since the HIPAA definition of “breach” has an exception that states as follows:

“Breach excludes…any unintentional acquisition, access, or use of PHI by a workforce member…of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under [the HIPAA Privacy Rule.]”

In this case, the business associate “acquired” the PHI by opening the e-mail, which was unintentional.  In other words, the business associate did not mean to acquire the PHI (as opposed to actively trying to gain access to information), and was acting within the scope of his/her employment, in good faith, and did not further disclose the PHI.  Thus, there was no HIPAA breach.