Does Using Email to Send Patient Names and ePHI Violate HIPAA Rules?

Email is a very useful and convenient way of communication nowadays. Can healthcare organizations use email to send patients their electronic protected health information? Is it considered a HIPAA violation to do so?

The HIPAA Privacy Rule clearly identifies patient names – the first and last name or last name and initial – as one of the 18 identifiers of protected health information (PHI). HIPAA does not state in any rule that the electronic transmission of PHI is prohibited. HIPAA-covered entities can use email and other electronic communications to transmit ePHI as long as reasonable safeguards are implemented ensuring data confidentiality and integrity. The following are important things to remember when using email with ePHI.

There’s no HIPAA violation committed when emailing patient names per se. However, it is important to make sure that the patient name and other PHI are not used on the subject line. Doing so will allow unauthorized persons to view the sensitive information. Even if the message is encrypted in transit, the subject line and the To and From fields are not encrypted.

Make sure that the email address is correct. When sending patients names and other PHI, make sure that the persons that will receive it and view it are authorized. Sending email with PHI to the wrong recipient is considered an unauthorized disclosure and violates HIPAA rules.

Encryption is not required by HIPAA.  However, if after conducting a risk assessment the covered entity decides not to use encryption, it must put in place an equivalent alternative security measure. Encrypting email messages is not necessary when sending only internal emails since the message will not leave the protection of the organization firewall.  However, there must be access control to make sure that messages are not opened by unauthorized individuals.

When messages with PHI are emailed outside the protection of an internal network, the potential that unauthorized can intercept and view the message is high. Make sure that patients have given their written consent to use email for sending them the sensitive information. Patients should be informed of the risks of using unencrypted email prior to getting their consent.

While the HIPAA rule requiring encryption is somewhat vague, going ahead to use unencrypted email for sending ePHI is quite risky. Should any audit or data breach investigation occurs, it will be difficult to prove that using unencrypted email is reasonably protected. It is better to use other more secure methods of data sharing such as Google Drive, Dropbox and Box.