Protecting Health Care Privacy The U.S. Health Insurance Portability and Accountability Act (HIPAA) addresses (among other…

Protecting Health Care Privacy
The U.S. Health Insurance Portability and Accountability Act
(HIPAA) addresses (among other things) the privacy of health
information. Its Title 2 regulates the use and disclosure of
protected health information (PHI), such as billing services, by
healthcare providers, insurance carriers, employers, and business
Email is often the best way for a hospital to communicate with
off-site specialists and insurance carriers about a patient.
Unfortunately, standard email is insecure. It allows eavesdropping,
later retrieval of messages from unprotected backups, message
modification before it is received, invasion of the sender’s
privacy by providing access to information about the identity and
location of the sending computer, and more. Since healthcare
provider email often carries PHI, healthcare facilities must be
sure their email systems meet HIPAA privacy and security
Children’s National Medical Center (CNMC) of Washington, D.C.,
“The Nation’s Children’s Hospital,” is especially aware of privacy
concerns because all such concerns are heightened with children.
CNMC did what many organizations do when faced with a specialized
problem: rather than try to become specialists or hire specialists
for whom the hospital has no long-term full-time need, it turned to
a specialist firm.
CNMC chose Proofpoint of Sunnyvale, California, for its Security
as a Service (SaaS) email privacy protection service. Matt
Johnston, senior security analyst at CNMC, says that children are
“the highest target for identity theft. A small kid’s record is
worth its weight in gold on the black market. It’s not the doctor’s
job to protect that information. It’s my job.”
Johnston explains that he likes several things about the
Proofpoint service:
● “I don’t have to worry about backups.” Proofpoint handles
● “I don’t have to worry about if a server goes down. [If it was
a CNMC server, I would have to] get my staff ramped up and bring up
another server. Proofpoint does that for us. It’s one less
● “We had a product in-house before. It required several servers
which took a full FTE [full-time employee] just to manage this
product. It took out too much time.”
● “Spam has been on the rise. Since Proofpoint came in, we’ve
seen a dramatic decrease in spam. It takes care of itself. The end
user is given a digest daily.”
● Email can be encrypted or not, according to rules that the end
user need not be personally concerned with.
● “Their tech support has been great.”
Proofpoint is not the only company that provides healthcare
providers with email security services. LuxSci of Cambridge,
Massachusetts, also offers HIPAA-compliant email hosting services,
as do several other firms. They all provide the same basic
features: user authentication, transmission security (encryption),
logging, and audit. Software that runs on the provider’s computers
can also deliver media control and backup. Software that runs on a
user organization’s server necessarily relies on that organization
to manage storage; for example, deleting messages from the server
after four weeks as HIPAA requires.
As people become more aware of the privacy risks associated with
standard email, the use of secure solutions such as these will
undoubtedly become more common in the future.
Discussion Questions
1. What privacy concerns does transmitting healthcare
information via email raise?
2. What requirement does HIPAA institute to safeguard patient
Critical Thinking Questions
1. Universities use email to communicate private information.
For example, an instructor might send you an email explaining what
you must do to raise your grade. The regulations about protecting
that information under the Family Educational Rights and Privacy
Act (FERPA) are not as strict as those under HIPAA. Do you think
they should be as strict as HIPAA’s requirements? Why or why
2. How does Proofpoint safeguard patient privacy? Could
Proofpoint do the same for university and corporate emails? Why or
why not?