I have two situations I'm hoping someone can help with, or point me in the right direction.
We have a health care company that has been sending unencrypted PHI (name/dob/diagnosis/treatment) via email for a while now. We are also a healthcare company, and the emails are going to the intended recipients. However the email is unencrypted, would this be considered a breach?
Luckily our employees don't respond to the emails, we just store them securely. I've notified the other company but they said as long as it reaches it's intended recipient, there is no breach.
Thoughts?
Also I have a doctor that has been sending PHI via email to a personal email (gmail) working on the PHI on a non work device, and then emailing it back to themselves via gmail to work email.
I have notified our security officer, however they don't seem to think we need to consider it a breach. I definitely think that type of behavior would be a breach.
Thoughts?
Thank you everyone in advance.