What is an “addressable” requirement?

HIPAA “addressable” requirements do not specify exactly the safeguards needed to meet the stipulated security standards. Rather, it allows the Covered Entities the flexibility to choose which safeguards to implement. For example, encryption is an “addressable” requirement, so Covered Entities may choose to use encryption or to use one or more other safeguards that will achieve the same level of protection.

What happens if an email is sent to the incorrect recipient?

If the email contains PHI, sending the email to the incorrect recipient would be considered a HIPAA violation if the recipient has not been authorized to receive the information. If the PHI within the email is not password-protected and read by the recipient, this would be considered a HIPAA breach and is reportable to the Department for Health and Human Services.

Can email be used to send other types of PHI?

If the email is properly protected – for example, sent internally, to the correct recipient, and files are password-protected – then emails can be used to send PHI. However, it is essential that the PHI contained in the email cannot be intercepted and accessed by unauthorized individuals.

Is a business associate agreement required to use email services?

Yes, if the email service is run by a third party – for example, Google or Microsoft – a Business Associate Agreement is required. The covered entity must enter this BAA before use of the email service.

Does Using Email to Send Patient Names and ePHI Violate HIPAA?

Using email to send patient names and electronic protected health information does not automatically violate HIPAA, and it becomes a HIPAA violation when the message involves an impermissible use or disclosure under the HIPAA Privacy Rule, when the safeguards required by the HIPAA Security Rule are not implemented for the email system and workflow, or when a required Business Associate Agreement is not in place with a vendor that creates, receives, maintains, or transmits electronic protected health information on behalf of a HIPAA Covered Entity or Business Associate.

A patient name can be protected health information when it identifies an individual and the communication relates to the individual’s past, present, or future physical or mental health or condition, provision of care, or payment for care. A message that includes a patient name plus diagnosis, test results, treatment details, billing data, appointment details tied to a condition, medical record numbers, or similar clinical or payment content is protected health information, and it is electronic protected health information when created, stored, or transmitted electronically.

The HIPAA Security Rule permits sending electronic protected health information by email, but it requires policies and procedures and technical measures that restrict access, protect integrity, and guard against unauthorized access during transmission. Email compliance depends on the configuration and management of accounts and devices, user authentication and access controls, audit controls appropriate to the environment, message integrity controls, and transmission security measures selected through a documented risk analysis and risk management process.

Encryption is an addressable implementation specification under the HIPAA Security Rule, which means the organization must implement encryption when reasonable and appropriate or document an alternative measure that achieves equivalent protection based on risk. Transport protections such as TLS reduce interception risk during transit but do not address all misuse scenarios such as misaddressed messages, compromised credentials, or unauthorized mailbox access. Operational controls such as multi-factor authentication, device security, role-based access, monitoring, and workforce training address those risks.

The HIPAA Privacy Rule permits communications by email with patients, including patient-initiated email. When a patient requests or accepts email communication, a covered health care provider may use email and may warn the patient about the risks of unencrypted email and document the preference. When an individual requests confidential communications by alternative means or locations and the request is reasonable, the covered entity must accommodate it.

Email to third parties requires a HIPAA Privacy Rule permission or authorization and application of the HIPAA Minimum Necessary Rule when the use or disclosure is not for treatment. Misdirected emails, unauthorized access, or other impermissible disclosures require analysis under the HIPAA Breach Notification Rule and may trigger notifications when the incident is a breach of unsecured protected health information.

Online HIPAA Training

HIPAA staff training reduces email-related HIPAA violations by teaching workforce members how to apply the HIPAA Privacy Rule and HIPAA Security Rule to routine messaging that contains patient names and electronic protected health information. Training should be assigned to all roles that handle protected health information, including clinical, administrative, billing, IT, volunteers, students, and temporary staff, with onboarding training completed within three months and refresher training completed annually, with additional training when policies change or after a security incident. Training should use practical scenarios that address recipient verification, use of the HIPAA Minimum Necessary Rule for non-treatment disclosures, secure use of email and messaging tools, handling patient requests for email communication, and actions required after a misdirected message or suspected account compromise. Online, comprehensive training that uses short module assessments, completion certificates, and administrative reporting supports documentation of workforce compliance obligations.

Does Using Email to Send Patient Names and ePHI Violate HIPAA?

Online HIPAA Training

James Keogh