The MED in Memphis, which is a the regional medical center in Memphis, TN is notifying 1,200 patients of a PHI breach.
This breach is has been classified as an “innocent employee mistake“, in which 3 un-secure emails were sent with attachments that contain PHI.
This goes right to my email soap box speech.
I will give the shortened version of it now:
Never should anyone in your office say they are going to email anything that contains PHI. The term email and PHI should never be used together.
Instead the term used should be “secure message“.
Meaningful Use Stage 2 will be pushing everyone to setup a secure messaging system, and it should be used…BUT, ensure that nobody said “email” when sending PHI.
This Memphis breach is the perfect example of people getting too lax with terminology.
When a procedure is being accomplished on a patient, very specific terminology is used. This should also be the case when dealing with PHI.
I’m pretty sure nobody wants to pay a minimum of $100 fine (per violation) for something as simple to prevent as sending PHI via email.