Is it a HIPAA Violation to Email PHI to Patients?

Email is a useful and simple way of communication. Is it okay for healthcare providers to use email to send electronic protected health information (ePHI) to patients? Is it a violation of the HIPAA Rules?

The HIPAA does not have any rule stating that PHI cannot be digitally transmitted. HIPAA-covered entities can employ email or any digital communication to deliver ePHI as long as proper safety measures are employed to make sure the integrity, confidentiality and availability of PHI.

The following are essential points to remember when utilizing email to transmit ePHI:

  • Though there is no HIPAA rule violated if emailing patient PHI, entities must remember not to put the patient’s name and other PHI on the subject line of the email. It’s possible for unauthorized persons to see the sensitive information in the subject line. The message is probably encrypted in transit, yet details specified on the To and From fields and the subject line are generally not encrypted.
  • If emailing PHI, always confirm that the email recipient is the correct individual. A lot of privacy breaches have taken place because the emails were sent to the incorrect recipients.
  • Encryption is not a requirement of HIPAA. However, the entity can decide to use encryption or other controls after conducting risk analysis and risk management procedures. If not using encryption, an alternative safety control with equivalent level of protection should be utilized. When transmitting internal messages, it’s okay not to use encryption since the messages are safeguarded by the company’s firewall. Nevertheless, there must be access controls to ensure messages may only be read by authorized individuals.
  • If emailing PHI outside of the firewall, the risk is high that unauthorized people could intercept and view the messages. Therefore, encryption is highly recommended.
  • Do not forget that the patients’ written consent must be obtained first before sending sensitive information via email. Patients ought to be notified about the risks of receiving PHI through unencrypted email.
  • Instead of using encryption for email, you could implement policies that necessitate sending PHI only via HIPAA-compliant data sharing providers for example Box, Dropbox and Google Drive.