Sending an email to patients is not a HIPAA violation when the message is permitted under the HIPAA Privacy Rule, uses reasonable safeguards to prevent unauthorized disclosure, limits protected health information to the HIPAA Minimum Necessary Rule when applicable, and applies the administrative, physical, and technical safeguards required by the HIPAA Security Rule for electronic protected health information, but it can be a HIPAA violation when an email impermissibly discloses protected health information, is sent to the wrong recipient, lacks reasonable safeguards, or uses patient information for marketing without a valid authorization.
The HIPAA Privacy Rule permits covered health care providers to communicate with patients by email for treatment and for health care operations communications that are not marketing. Reasonable safeguards apply to routine electronic communications and should address preventable disclosure risks such as autocomplete errors, incorrect addresses, forwarding, shared inboxes, and inclusion of unnecessary identifiers or clinical details. Messages should exclude diagnoses, test results, images, and detailed treatment information unless there is a defined need and the organization can support secure transmission and access controls.
The HIPAA Security Rule applies when electronic protected health information is created, received, maintained, or transmitted by email systems. Covered Entities and Business Associates should implement access controls, authentication, workforce role controls, audit capability, and transmission security appropriate to the environment. If an email platform stores messages containing electronic protected health information, the vendor relationship should be evaluated to determine whether a business associate agreement is required based on the vendor’s functions and access.
Encryption is a common control for email containing electronic protected health information. When a patient requests email that is not encrypted, the HIPAA Privacy Rule permits honoring the patient’s preference after the patient is informed of the security risks and still chooses that method, including requests to receive copies of protected health information by unencrypted email under the individual right of access. Organizations should document the request, the risk warning provided, and the patient’s preference, and should continue to protect the organization’s own systems.
Email communications become higher risk when they resemble marketing. Messages that encourage the purchase or use of a product or service and are not a treatment communication or a health care operations communication that meets HIPAA requirements can require a written authorization. Mailing lists and mass emails also increase the likelihood of address exposure or misdirection, which can create an impermissible disclosure.
A misdirected email that contains protected health information can constitute a breach of unsecured protected health information and may trigger the HIPAA Breach Notification Rule after the required breach risk assessment. Workforce training, standardized templates, address verification practices, and incident response procedures reduce repeat events and support audit readiness.
The Applicable HIPAA Regulatory Text
45 CFR 164.522(b)(1)(i) addresses patient requests for how protected health information communications are sent and supports email use when it is a reasonable accommodation. The regulation states, “A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.” This text is relevant because a patient request to receive communications by email is a request for an alternative means of communication.
45 CFR 164.530(c)(1) establishes a general safeguards duty for protected health information when a covered entity communicates with patients, including by email. The regulation states, “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” This text is relevant because email workflows require controls to reduce foreseeable risks of impermissible use or disclosure, including misaddressed messages and unnecessary content.
45 CFR 164.312(e)(1) governs transmission security for electronic protected health information and applies when email is used to transmit electronic protected health information over an electronic communications network. The regulation states, “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This text is relevant because it ties email transmission of electronic protected health information to technical measures such as transmission security controls.
45 CFR 164.404(a)(1) establishes when breach notification duties apply after an email incident involving unsecured protected health information. The regulation states, “A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.” This text is relevant because a misdirected email containing unsecured protected health information can trigger breach notification obligations after the required analysis under the HIPAA Breach Notification Rule.