You send a HIPAA compliant email by confirming the message is a permitted use or disclosure under the HIPAA Privacy Rule, limiting the protected health information included to the minimum necessary when the HIPAA Minimum Necessary Rule applies, using an email system that meets HIPAA Security Rule safeguards for electronic protected health information, and preventing misdirection and unauthorized access through verification, configuration, and documented procedures.
First determine whether the email contains protected health information. Protected health information exists when an identifier such as a name, email address, medical record number, account number, or appointment detail is linked to health information about a condition, care, or payment. Subject lines, attachments, images, embedded metadata, and prior thread history can contain protected health information even when the body text appears limited. If protected health information is present and the email is electronic, the message and its storage become electronic protected health information.
Confirm that the purpose and recipient are permitted. Disclosures for treatment, payment, and healthcare operations are permitted when the recipient relationship and message content match the purpose. Messages that meet the HIPAA Privacy Rule definition of marketing require a valid HIPAA authorization unless an exception applies. Restrictions and confidential communications requests that the organization has agreed to follow must be honored, including alternative addresses and limits on disclosures to specific persons.
Control the content before sending. Include only the information needed for the purpose, avoid unnecessary clinical detail, and avoid placing protected health information in the subject line when it is not required. Attachments should be limited to the relevant pages or data elements rather than full record extracts. Distribution should prevent recipient list disclosure by using individual addressing methods that do not expose other recipients, and replies and forwards should be managed to prevent propagation outside the permitted disclosure.
Use a secured email environment for electronic protected health information. HIPAA Security Rule safeguards include unique user identification, access controls aligned with workforce roles, authentication practices that resist credential compromise, audit controls that record relevant access and administrative activity, integrity controls that protect electronic protected health information from unauthorized alteration, and transmission security appropriate to the environment. Encryption for transmission is an addressable specification that requires a documented assessment and an implemented approach that protects electronic protected health information in the organization’s operating conditions. Mobile access to email should be controlled through device management, encryption, screen locks, and remote wipe where the organization manages devices.
Confirm vendor and configuration status. If the email service provider creates, receives, maintains, or transmits protected health information on behalf of the organization, the provider functions as a Business Associate and requires a Business Associate Agreement. Configuration should restrict administrative access, control forwarding and external sharing, apply retention and deletion practices aligned with policy, and support logging and monitoring for suspected unauthorized access or misdirection.
Apply recipient verification and sending controls. Verify addresses using approved directories, confirm external recipients when communication patterns change, and use secure messaging options when sending outside the organization. When leaving voicemail through email-to-voice services or sending messages to shared inboxes, limit content and confirm access permissions. When a misdirected email occurs, initiate containment steps such as recall attempts where feasible, contact unintended recipients to request deletion, and document the event for incident response review.
Handle patient-directed email based on documented preferences. When an individual requests unencrypted email after being warned of the security risks and still prefers that method, the covered entity may comply while applying reasonable safeguards such as accurate address entry and limiting content to what is needed for the purpose.