This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in health IT, privacy and security, and compliance.
Yahoo’s recent trip to the courthouse regarding its email content scanning gives us a healthy reminder to think about what we send, how it is used, and how that impacts entities subject to HIPAA and their (or their recipients’) ability to use free hosted email services. Spoiler – don’t, at least not for any patient-related communication. Those terms and conditions do matter.
“Yahoo requires its subscribers to consent to the interception, scanning, analysis, and storage of email in exchange for Yahoo Mail Services” and requires users to notify non-Yahoo users with whom they communicate of such “feature”. In re Yahoo Mail Litig., 2015 U.S. Dist LEXIS 68585 at 9 (N.D. Ca., May 26, 2015).
Yahoo’s privacy policy states:
“Yahoo! provides personally relevant product features, content, and advertising, and spam and malware detection by scanning and analyzing Mail, Messenger, and other communications content. Some of these features and advertising will be based on our understanding of the content and meaning of your communications.” In re Yahoo Mail Litig., at 11.
While it is unclear if this sentence was removed in the court’s opinion or wasn’t present in Yahoo’s policy at the time, the current policy continues, “For instance, we scan and analyze email messages to identify key elements of meaning and then categorize this information for immediate and future use.”
Other major email providers have “privacy” policies which permit substantial use of the contents of email sent through their systems. For example, Google provides as of December 19, 2014:
“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”
Google made that addition in their December 19, 2014 revisions to their Privacy Policy, although such practices appear to have gone back in time much farther. See In re Google Inc. Gmail Litig., 2014 U.S. Dist LEXIS 36957 (N.D. Ca., March 18, 2014). Compare those statements to the privacy policy of a paid-only service which provides a much more privacy-friendly policy. Even Google makes an explicit distinction between free and paid email services:
“What kind of data scanning or indexing of end-user data is done?
Google for Work does not scan your data or email in Google Apps Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google’s Privacy and Terms page for more consumer tools and information relating to consumer privacy.”
In practice, this seems to go beyond just displaying advertisements, it goes farther than some would consider (Google Tracks Hotel Reservations).
So why does this matter? Putting aside the consequences of breaches an email provider may suffer (e.g. Midwest Orthopaedics), the email provider is receiving, maintaining, and possibly transmitting on behalf of the sender. If that sender is a covered entity or business associate, and the email contains PHI, the sender and the provider would need to have a business associate agreement in place. 45 C.F.R. §§ 164.308(b), 164.314, and 164.504(e).
Even if there were a BAA in place (good luck getting one for free services, Yahoo appears to not under any circumstances, although Google will for paid services), knowing that the email provider is going to use the contents of messages for marketing purposes, possibly in violation of HIPAA at 45 C.F.R. 164.508(a)(3) (remuneration for marketing) or § 164.504(e)(2)(i) (BAA can’t permit BA to use PHI to violate Privacy Rule), may be problematic in light of the termination language in § 164.504(e)(1)(ii) or (iii). That is, if a pattern or practice is known in advance, it is probably not reasonable to enter into such an arrangement in the first place, and in any event, continued use of such a service would be problematic.
A more interesting question arises when the sender maintains their own email system, but may from time to time send email to external addresses hosted by a provider which performs content analysis of emails for advertising. Assuming some of those emails will have PHI, is it acceptable to send to those addresses? An address might belong to another health care provider, or perhaps a patient.
This is problematic for so many reasons.
- Is the destination email provider a BA of the sender, as it is receiving, maintaining, and transmitting PHI on the sender’s behalf?
- If the recipient is another BA or covered entity, is the destination email provider a BA of the intended recipient, since it is doing the same for them?
- Are all the necessary BAAs in place?
- Even if emailing a patient, are you disclosing PHI to them, or are you disclosing it to a third party for subsequent transmission to the patient?
In any event, an email provider scanning email for advertising (or other) purposes isn’t treatment, payment, or operations, and isn’t otherwise listed as a HIPAA permitted use or disclosure. 45 CFR 164.512 (authorization or opportunity to agree or object not required). Does an authorization (and NPP) cover such use? Even if it did, is an email provider going to honor revocation of that authorization?
Is the data encrypted and hashed on the way to the destination email server (possibly, but not necessarily guaranteed)? Is the data encrypted and hashed in storage once it gets there? It almost certainly isn’t encrypted such that the email provider can’t scan it.
Does the email provider’s scanning of that email constitute a Breach? What about email provider’s use of that information for subsequent aggregation and identity tracking or otherwise sharing with a third party?
What about the Security Rule’s general requirement to “[p]rotect against any reasonably anticipated uses or disclosures…that are not permitted or required under [the Privacy Rule]”?
This isn’t just a healthcare issue. What are the consequences for privilege, whether attorney-client, doctor-patient, etc., when those communications have no reasonable expectation of privacy? Does the analysis in Stengart v. Loving Care Agency, Inc., 201 NJ 300 (2010) change if there is no reasonable expectation of privacy? A number of email providers have adopted language similar to that suggested in United States v. Warshak, 631 F.3d 266, at 287 (6th Cir., 2010) [note-an interesting read for a discussion of the Stored Communication Act, marginalization of the 4th Amendment, and what actually happened to all those Enzyte commercials]. Does it change if those email providers actively engage in activities beyond using email content for directed advertising, such as actively parsing email for illegal content? Would the privilege consequences be different in civil vs. criminal proceedings?
Perhaps we would be best serve to heed Elliot Spitzer’s advice, “Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail.” At least not where free services are involved.