Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning

This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in health IT, privacy and security, and compliance.  

Yahoo’s recent trip to the courthouse regarding its email content scanning gives us a healthy reminder to think about what we send, how it is used, and how that impacts entities subject to HIPAA and their (or their recipients’) ability to use free hosted email services.  Spoiler - don’t, at least not for any patient-related communication.  Those terms and conditions do matter.

“Yahoo requires its subscribers to consent to the interception, scanning, analysis, and storage of email in exchange for Yahoo Mail Services” and requires users to notify non-Yahoo users with whom they communicate of such “feature”.  In re Yahoo Mail Litig., 2015 U.S. Dist LEXIS 68585 at 9 (N.D. Ca., May 26, 2015).  

 Yahoo’s privacy policy states:

“Yahoo! provides personally relevant product features, content, and advertising, and spam and malware detection by scanning and analyzing Mail, Messenger, and other communications content. Some of these features and advertising will be based on our understanding of the content and meaning of your communications.”  In re Yahoo Mail Litig., at 11.

While it is unclear if this sentence was removed in the court’s opinion or wasn’t present in Yahoo’s policy at the time, the current policy continues, “For instance, we scan and analyze email messages to identify key elements of meaning and then categorize this information for immediate and future use.” 

Other major email providers have “privacy” policies which permit substantial use of the contents of email sent through their systems.  For example, Google provides as of December 19, 2014:

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”  

Google made that addition in their December 19, 2014 revisions to their Privacy Policy, although such practices appear to have gone back in time much farther.  See In re Google Inc. Gmail Litig., 2014 U.S. Dist LEXIS 36957 (N.D. Ca., March 18, 2014).  Compare those statements to the privacy policy of a paid-only service which provides a much more privacy-friendly policy.  Even Google makes an explicit distinction between free and paid email services:

“What kind of data scanning or indexing of end-user data is done?

Google for Work does not scan your data or email in Google Apps Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.”

In practice, this seems to go beyond just displaying advertisements, it goes farther than some would consider (Google Tracks Hotel Reservations).  

So why does this matter?  Putting aside the consequences of breaches an email provider may suffer (e.g. Midwest Orthopaedics), the email provider is receiving, maintaining, and possibly transmitting on behalf of the sender. If that sender is a covered entity or business associate, and the email contains PHI, the sender and the provider would need to have a business associate agreement in place.  45 C.F.R. §§ 164.308(b), 164.314, and 164.504(e). 

Even if there were a BAA in place (good luck getting one for free services, Yahoo appears to not under any circumstances, although Google will for paid services), knowing that the email provider is going to use the contents of messages for marketing purposes, possibly in violation of HIPAA at 45 C.F.R. 164.508(a)(3) (remuneration for marketing) or § 164.504(e)(2)(i) (BAA can’t permit BA to use PHI to violate Privacy Rule), may be problematic in light of the termination language in § 164.504(e)(1)(ii) or (iii).  That is, if a pattern or practice is known in advance, it is probably not reasonable to enter into such an arrangement in the first place, and in any event, continued use of such a service would be problematic.

A more interesting question arises when the sender maintains their own email system, but may from time to time send email to external addresses hosted by a provider which performs content analysis of emails for advertising.  Assuming some of those emails will have PHI, is it acceptable to send to those addresses?  An address might belong to another health care provider, or perhaps a patient. 

This is problematic for so many reasons. 

  • Is the destination email provider a BA of the sender, as it is receiving, maintaining, and transmitting PHI on the sender’s behalf?  
  • If the recipient is another BA or covered entity, is the destination email provider a BA of the intended recipient, since it is doing the same for them?  
  • Are all the necessary BAAs in place?  
  • Even if emailing a patient, are you disclosing PHI to them, or are you disclosing it to a third party for subsequent transmission to the patient? 

In any event, an email provider scanning email for advertising (or other) purposes isn’t treatment, payment, or operations, and isn’t otherwise listed as a HIPAA permitted use or disclosure. 45 CFR 164.512 (authorization or opportunity to agree or object not required).  Does an authorization (and NPP) cover such use?  Even if it did, is an email provider going to honor revocation of that authorization?

Is the data encrypted and hashed on the way to the destination email server (possibly, but not necessarily guaranteed)?  Is the data encrypted and hashed in storage once it gets there?  It almost certainly isn’t encrypted such that the email provider can’t scan it.

Does the email provider’s scanning of that email constitute a Breach?  What about email provider’s use of that information for subsequent aggregation and identity tracking or otherwise sharing with a third party? 

What about the Security Rule’s general requirement to “[p]rotect against any reasonably anticipated uses or disclosures…that are not permitted or required under [the Privacy Rule]”?

This isn’t just a healthcare issue.  What are the consequences for privilege, whether attorney-client, doctor-patient, etc., when those communications have no reasonable expectation of privacy?  Does the analysis in Stengart v. Loving Care Agency, Inc., 201 NJ 300 (2010) change if there is no reasonable expectation of privacy?  A number of email providers have adopted language similar to that suggested in United States v. Warshak, 631 F.3d 266, at 287 (6th Cir., 2010) [note-an interesting read for a discussion of the Stored Communication Act, marginalization of the 4th Amendment, and what actually happened to all those Enzyte commercials].  Does it change if those email providers actively engage in activities beyond using email content for directed advertising, such as actively parsing email for illegal content?  Would the privilege consequences be different in civil vs. criminal proceedings?

Perhaps we would be best serve to heed Elliot Spitzer’s advice, "Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail." At least not where free services are involved.

CMS Releases Guidance on Stage 2 Summary of Care Measure

CMS release guidance yesterday that it has discontinued the NIST EHR-Randomizer effective today, July 1. Hospitals and providers were previously required to conduct a test with the NIST EHR-Randomizer as part of their demonstration of the Stage 2 Summary of Care Record if they were unable to exchange a summary of care record with another provider with different CEHRT. CMS now permits hospitals and providers to retain documentation if they were not able to interact with a provider with different CEHRT in common practice, and attest "Yes" to this measure nonetheless.  

The text of the FAQ is available below.  For additional guidance on the Stage 2 Summary of Care Record measure, visit the CMS FAQ page.   

Question: When reporting on the Summary of Care objective in the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program, how can eligible professionals and eligible hospitals meet measure 3 if they are unable to complete a test with the CMS designated test EHR (Randomizer)?

Answer: CMS is aware of difficulties related to systems issues that eligible professionals, eligible hospitals, and critical access hospitals (CAHs) are having in use of the CMS Designated Test EHRs (NIST EHR-Randomizer Application) to meet measure 3 of the Stage 2 Summary of Care objective, therefore, we will be discontinuing this option effective July 1, 2015.

Providers may still meet the Stage 2 Summary of Care objective measure #3 by using one of the following actions:

  1. Exchange a summary of care with a provider or third party who has a different CEHRT as the sending provider as part of the 10% threshold for measure #2 (allowing the provider to meet the criteria for measure #3 without the CMS Designated Test EHR). This exchange may be conducted outside of the EHR reporting period timeframe, but must take place no earlier than the start of the year and no later than the end of the EHR reporting year or the attestation date, whichever occurs first.
  2. If providers do not exchange summary of care documents with recipients using a different CEHRT in common practice, they may retain documentation on their circumstances and attest “Yes” to meeting measure #3 if they have and are using a certified EHR which meets the standards required to send a CCDA (§ 170.202).