Here is a question for you. You have a claim that needs to be submitted to your state authority for an order or approval of some sort. Would you take all of the relative claim documents; including stipulations, statement of the case, and evidence of the case, bundle them up nicely with twine, and drop them by the curb, along with a note asking any passersby to please deliver them to your Commissioner?
Of course you wouldn't. That information contains personal and private data. It would be a blatant violation of both your ethical and legal obligations to protect a claimants privacy rights.
But we do it every day. And some states actively encourage the practice. South Carolina became the most recent addition, with the updating of their preferences to “Include E-Processing of All Proposed Orders”. Item 12 in that list reads, “Please submit all proposed orders in Word format electronically via email ONLY to the administrative assistant.” Email, unless both parties are using encryption software with a common “key”, is NOT a secure method with which to transfer this type of information.
I've beat this drum before. In February the New York Workers' Compensation Board announced they would allow “documents related to claims for compensation to be filed with the Board as email attachments”. I fail to understand why states continue to encourage its use in this manner.
According to the South Carolina Workers' Compensation Commission Commissioners' Preferences, the following is to be included with a proposed order:
- APA Submissions (APA stands for South Carolina's Administrative Procedures Act)
- Stipulations
- Statement of the Case (contentions of the parties, stated concisely)
- Evidence of the Case (synopsis of the evidence, including testimony and medical reports)
- Findings of Fact – numbered (Do NOT delete any of the above findings, however, the prevailing party may add findings to support the decision, except regarding credibility, unless instructed to do so)
- Conclusions of Law (cite applicable statutory sections and case law)
- Award
Certainly some of the information required, particularly that within the medical records, could contain personal information that should be protected. When an unencrypted email is sent, it simply does not pass from your computer to the recipients desktop. It passes through a network of many routers to reach its ultimate destination. At any point in that process, the email and attached documents are potentially subject to prying eyes. Anyone using a “packet sniffer” could potentially capture that data, with no one being the wiser to the interception.
Yet some states, like South Carolina, just don't seem to “get it”.
A much, much better approach would be the simple installation of a secure (read: ENCRYPTED) portal on their website where stakeholders could upload the necessary documents using industry standard SSL (Secure Socket Layer) protection. The data would still pass through many routers, but be immune to nefarious interlopers. In the absence of that solution, I certainly would recommend that standard email NOT be employed as recommended by the state. I would rather take my chances with the bundled documents and twine…..
————————————————————–
Special Note: I will be moderating a pre-conference Technology Symposium as part of the National Workers' Compensation and Disability Conference this November in Las Vegas. This is certainly a topic that I intend to interject into the conversation. If you know of other state agencies that allow or encourage this type of unsecured data transmission, please leave that in the comments below, or send an (unsecured) email to info at workerscompensation.com – Subject: "State Email Policy". Thank you.