Does Using Email to Send Patient Names and ePHI Violate HIPAA Rules?

by

The answer to the question does using email to send patient names and ePHI violate HIPAA Rules is that it depends on the content of the email, who it is being sent to, and what for; and whether controls are in place to ensure transmission security – when required.

Questions such as does using email to send patient names and ePHI violate HIPAA Rules illustrate just how difficult it can be to comply with HIPAA because there is no straightforward answer. For example, if you send only patient names by email, there is no violation of either the Privacy or Security Rule because names alone are not Protected Health Information (because they are not individually identifiable health information).

Similarly, if you send de-identified health information via email, the email is not subject to HIPAA because it is not individually identifiable health information. However, once you include patient names and health information in the same email – either as text, an attachment, or a link to a database – it becomes electronic Protected Health Information (ePHI) and is subject to the standards of the Privacy and Security Rules – when required.

Who the Email is Sent to Makes a Difference

As a member of a Covered Entity´s or Business Associate´s workforce, there are only certain people you can send ePHI by email. These include:

  • A patient or their authorized representative,
  • An authorized work colleague,
  • Another Covered Entity that conducts treatment, payment, or healthcare operations on your organization´s behalf,
  • A Business Associate or subcontractor with whom a Business Associate Agreement is in place – but only for an agreed purpose,
  • HHS´ Office for Civil Rights or other public health, government, judicial, or law enforcement agency as required by law, or
  • The patient´s employer when the ePHI relates to a work-related injury or illness, or a workplace-related medical surveillance.

With regards to sending ePHI by email to a patient or an authorized representative, it is important to check beforehand that the patient has not objected to being contacted by email. With regards to any other disclosures of ePHI, it is important to check that the patient has not exercised their rights under §164.522 to request privacy protection for their PHI. In such cases, the patients have the right to restrict partial or total protection for some or all recipients.

The Purpose of the Email Also Matters

The reason for the email being sent must fall into one of the permitted uses or disclosures of the Privacy Rule (§§164.502-164.514). All other uses of email to send patient names and ePHI violate HIPAA Rules unless they have been authorized by the patient in writing. The authorization must explain what ePHI is being disclosed, who to, and what for, and clearly state that the ePHI could be further used or disclosed by the recipient without being protected by the Privacy Rule.

Additionally, and in the context of answering the question does using email to send patient names and ePHI violate HIPAA Rules, any email containing ePHI must comply with the Minimum Necessary standard. This standard states that all disclosures of ePHI must be limited “to the amount reasonably necessary to achieve the purpose of the disclosure”. Disclosing more than the minimum necessary to achieve the purpose of the disclosure is a violation of HIPAA.

When are Transmission Security Controls Not Required?

The requirement to implement transmission security controls appears in the Technical Safeguards of the Security Rule (§164.312). The standard specifically relating to transmission security states security measures must be implemented to guard against unauthorized access to ePHI being transmitted over an electronic communications network. With regards to emails containing ePHI, this usually means implementing an encrypted email service.

There are two circumstances in which implementing an encrypted mail service is not required. The first is when emails containing ePHI are sent internally and are protected by a firewall. The second is when patients have been warned of the risks of unencrypted email, but have nonetheless requested communication via email. In such circumstances, the warning and the request to receive communication containing ePHI by email should be documented.

When Does Using Email to Send Patient Names and ePHI Violate HIPAA?

Although there is no straightforward answer to the question does using email to send patient names and ePHI violate HIPAA, there are times when using email to send patient names and ePHI does violate HIPAA. These include when an email

  • is sent to an internal or external recipient not authorized to receive it (including ePHI sent to personal accounts),
  • contains information the recipient is not authorized to receive (i.e., in violation of a Business Associate Agreement),
  • contravenes a patient´s communication wishes or contains information a patient has asked not to be disclosed,
  • is an impermissible disclosure not authorized by a patient (i.e., psychotherapy notes),
  • contains more than the minimum necessary ePHI to achieve the purpose of the disclosure, or
  • has been sent in an unencrypted format to an external recipient other than a patient who has been warned of the risks.

There is quite a long list of scenarios when using email to send patient names and ePHI violate HIPAA, and organizations subject to HIPAA should bear these scenarios in mind when developing policies and procedures to comply with the Privacy and Security Rules – or when designing HIPAA training courses to mitigate the risk of an avoidable HIPAA violation by a member of the workforce.

Using Email to Send Patient Names and ePHI: FAQs

What is an “addressable” requirement?

HIPAA “addressable” requirements do not specify exactly the safeguards needed to meet the stipulated security standards. Rather, it allows the Covered Entities the flexibility to choose which safeguards to implement. For example, encryption is an “addressable” requirement, so Covered Entities may choose to use encryption or to use one or more other safeguards that will achieve the same level of protection.

What happens if an email is sent to the incorrect recipient?

If the email contains PHI, sending the email to the incorrect recipient would be considered a HIPAA violation if the recipient has not been authorized to receive the information. If the PHI within the email is not password-protected and read by the recipient, this would be considered a HIPAA breach and is reportable to the Department for Health and Human Services.

Can email be used to send other types of PHI?

If the email is properly protected – for example, sent internally, to the correct recipient, and files are password-protected – then emails can be used to send PHI. However, it is essential that the PHI contained in the email cannot be intercepted and accessed by unauthorized individuals.

Is a business associate agreement required to use email services?

Yes, if the email service is run by a third party – for example, Google or Microsoft – a Business Associate Agreement is required. The covered entity must enter this BAA before use of the email service.