From HcPro’s newsletter Briefings on HIPAA:
This is a potential violation of the HIPAA security rule. A violation has not occurred if an e-mail does not include any PHI. However, e-mails that contain PHI should be encrypted.
Encryption is an addressable implementation specification under the security rule. “Addressable” means the provider must implement the specification as stated in the rule, implement protections equivalent to the rule, or must clearly document why the implementation specification does not apply.
Cost may not be the primary reason for failure to implement the specification. It is important to remember that the security rule was finalized back in 2003 and then became effective in 2005.
Encryption technology has become much more mature and interoperable since 2003. And it is no longer cost-prohibitive-even for the smallest providers.
Physicians who elect to send PHI via unencrypted e-mail in 2008 are hard-pressed to justify this decision.