Re: Waiver of responsibility for emailed PHI

[Chris Green <cmgreen () UAB EDU>]

That's a "ask your legal counsel" question.   With that said, my understanding is:

In our HIPAA training, if it's misrouted to someone covered by our HIPAA policies, training, etc (I mailed Dr. Green in 
PEDS rather than RADIOLOGY), it's incidental and not a breach and the recipient just needs to deleted.   If it's sent 
to someone not covered (like the mystery DrGreen () yahoo com<mailto:DrGreen () yahoo com>), then it is a breach.

I think your case really comes down to what did that waiver waive and could they waive that right and where in that 
chain did the mistake happen. Is it the recipients lack of security for their mailbox or something else?  Again, back 
to ask your legal counsel.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mayne, 
Jim
Sent: Thursday, February 18, 2010 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Waiver of responsibility for emailed PHI

A question for some of you that have experience with HIPAA and the HITECH rules. If a person, or in the case of a 
child, a legal guardian signs a waiver allowing PHI to be communicated with them through email and later that email is 
misrouted, intercepted or otherwise read by someone else, is that considered a breach? Is the school responsible for 
reporting that as a breach?

Thanks,
Jim

Jim Mayne
Information Security Services