An email address is considered protected health information when it identifies an individual and is created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate in connection with the individual’s healthcare, payment for healthcare, or enrollment in a health plan, and it is not protected health information when it is not linked to an individual’s health-related information or is not held in a regulated context.
The HIPAA Privacy Rule treats certain identifiers as protected health information when they are associated with health information that relates to a person’s past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. An email address functions as an identifier when it can be used to identify a specific individual directly or when it can be used with other available information to identify the individual.
An email address becomes protected health information in common operational situations. A patient email address stored in an electronic health record, a scheduling system, or a billing platform is part of the designated record set when maintained for clinical, administrative, or payment purposes. An email address contained in a message thread that includes diagnosis, treatment, test results, referral details, insurance information, or patient account information is protected health information because the identifier is tied to health-related content. A distribution list for a disease management program, specialty clinic, or behavioral health service can also create protected health information when the list links an individual’s email address to the fact that the individual receives a particular type of care.
An email address is not protected health information when the address is not connected to health information and is not maintained or used in a regulated healthcare context. A general business email address for a vendor, an employer, or a public agency is not protected health information by itself. A generic address that does not identify an individual, such as a role-based inbox, does not identify a specific person and does not function as protected health information unless it is combined with other information that ties it to an individual’s health status or services.
Email addresses also raise compliance risk when they are shared or displayed in a way that discloses a patient relationship. Sending a group message that exposes recipient addresses can disclose that recipients are associated with a particular provider or service line. Forwarding messages that contain patient identifiers, including email addresses, can create an impermissible disclosure when recipients are not authorized for the purpose.
Organizations should treat patient email addresses as protected health information when they are maintained with clinical or payment information, apply the HIPAA Minimum Necessary Rule where it applies when using email addresses for administrative purposes, and implement safeguards under the HIPAA Security Rule when email addresses are part of electronic protected health information in systems used for care, billing, or operations.