Is it a HIPAA Violation to Email Patient Names?

It is not a HIPAA violation to email patient names provided emails do not contain patients’ health information, because patient names – when not maintained in the same record set as health information – are not protected by HIPAA.

However, when health information is included in an email, the issue of whether it is a HIPAA violation to email patient names depends on the circumstances.

HIPAA Email Rules

To answer the question is it a HIPAA violation to email patient names, it is best to start by looking at when HIPAA compliance is necessary. This is because it depends on the circumstances, for example:

• Not all individuals and organizations in the possession of patients’ names are required to comply with HIPAA,
• Patient names are not protected by HIPAA when they are not maintained in the same record set as health information,
• There are many circumstances in which it is permitted to email patient names in compliance with HIPAA, and
• The adoption of a HIPAA compliant email service can mitigate the likelihood of a HIPAA violation when emailing patient names.

Who is Required to Comply with HIPAA?

Individuals and organizations required to comply with HIPAA include health plans, health care clearinghouses, and healthcare providers that electronically transmit individually identifiable health information in connection with a transaction for which the Secretary of Health and Human Services (HHS) has published standards in 45 CFR Part 162.

Collectively, these individuals and organizations are known as HIPAA covered entities.

If a healthcare provider does not electronically transmit health information in connection with a Part 162 transaction, they are not required to comply with HIPAA unless they provide a service to or on behalf of a covered entity as a business associate.

In such circumstances, they would be required to comply with the HIPAA Security Rule, the applicable Privacy and Breach Notification standards, and any additional requirements stipulated in a Business Associate Agreement.

If a healthcare provider does not qualify as a covered entity or business associate, it would not be a HIPAA violation to email patient names because the healthcare provider is not required to comply with HIPAA.

However, depending on the circumstances in which patient names are emailed, the healthcare provider could be in violation of state privacy legislation – which often exempts covered entities and/or information that qualifies as Protected Health Information.

What Information Qualifies as Protected Health Information?

One of the reasons for potential confusion over the HIPAA name rules is that patient names – when received, maintained, or transmitted by a covered entity or business associate – are sometimes protected by HIPAA and sometimes not. The difference depends on whether names are received, maintained, or transmitted in a “designated record set” that includes information relating to a patient’s condition, treatment for the condition, or payment for the treatment.

All individually identifiable health information that relates to a patient’s condition, treatment for the condition, or payment for the condition qualifies as Protected Health Information (PHI)  under HIPAA. PHI is maintained in designated record sets and is protected by the standards of the HIPAA Privacy and Security Rules. Any individually identifiable non-health information included in a designated record set with PHI assumes the same privacy and security protections as the PHI.

In the context of the question is it a HIPAA violation to email patient names, the answer is “no” if the non-health information – in this case, patient names – is maintained in a separate database from health information (i.e., for marketing purposes), and “possibly” if the non-health information is maintained in a designated record set with PHI. Some possible circumstances in which it may be a HIPAA violation to email patient names are discussed later in this article.

When is it Permitted to Email Patient Names?

When they qualify as PHI, patient names can be emailed by covered entities and business associates permissibly for treatment, payment, and healthcare operations. They can also be emailed to HHS’ Office for Civil Rights for any purpose, to the Centers for Medicare and Medicare Services to help detect health care fraud and abuse, to a family member to notify them of a patient’s condition or death, or for any disclosure required by law under §164.512.

In the above circumstances, whenever an email is sent beyond an organization’s firewall, it is necessary to use a HIPAA compliant email service to protect the confidentiality, integrity, and availability of PHI. Exceptions to this requirement exist only when a patient has given their consent for PHI to be sent to themselves or a family member via an unsecure channel of communication, or has provided a valid HIPAA authorization for the disclosure of PHI.

In nearly all circumstances when patient names qualify as PHI, it is important to be aware the minimum necessary standard applies and only the minimum necessary PHI must be disclosed to achieve the purpose of the disclosure (i.e., patient’s surname and initial, rather than surname and forename). The most common exception to the minimum necessary standard is when a patient exercises their right to receive a copy of their PHI via email under §164.524.

What is a HIPAA Compliant Email Service?

A HIPAA compliant email service is an email service that has the capabilities to support HIPAA compliance and mitigate the likelihood of a HIPAA violation. For example, a HIPAA compliant email service must include access controls to ensure only authorized users can send and receive emails containing PHI, audit controls that log alterations to – or deletions of – PHI, and encryption controls to prevent hackers deciphering PHI when illegally accessing a healthcare network.

In addition to encrypting data at rest, a HIPAA compliant email service must also encrypt data in transit between a sender and a recipient. There are several types of encryption for encrypting the connection between a sender and a recipient (to prevent “man-in-the-middle” attacks) or for encrypting the content of emails. Covered entities and business associates are advised to conduct a risk assessment to determine which type of encryption is most suitable for their requirements.

Not all HIPAA compliant email services are pre-configured to support HIPAA compliance. In some cases, it may be necessary to adjust settings to prevent PHI being disclosed by a compliant service to a connected non-compliant service (i.e., Gmail to Google Contacts), and apply user permissions according to each member of the workforce’s access requirements. In other cases, it may be simpler to install a HIPAA compliant plug-in to an existing email service.

When is it a HIPAA Violation to Email Patient Names?

It is a HIPAA violation to email patient names when the sender of an email is a member of a covered entity’s or business associate’s workforce, when the patient names qualify as PHI (because the emails contain health information), when the email is sent for an impermissible purpose, and/or when the emails are sent outside an organization’s network without being encrypted – unless a patient has consented to or authorized an unsecure disclosure.

It is also a HIPAA violation to email patient names when a Business Associate Agreement has not been entered into with the vendor of a HIPAA compliant email service. A Business Associate Agreement is necessary – even when a vendor cannot access any PHI in an email because it is encrypted – because email services are considered to have “persistent access” to PHI. However, the most common reasons for email-related HIPAA violations is human error.

HIPAA Violation Email Examples

• In November 2024, an employee of the Missouri Dept of Mental Health sent an unencrypted email containing the PHI of 537 individuals to the wrong recipients.
• In October 2024, a business associate of Regence Blue Cross Blue Shield emailed the PHI of 610 individuals to the wrong recipients.
• In July 2024, several employees of Aveanna Healthcare emailed the PHI of 10,482 individuals from their personal email accounts.
• In January 2024, an employee of Mount Vernon Dental Smiles, VA, sent an email containing the PHI of 1,074 patients to an unauthorized individual.
• In August 2023, an employee of AmeriBen, ID, send an email to patients that contained the PHI of 74,884 individuals. The employee was retrained.
• In July 2023, an employee of Eastern Connecticut Health Network sent an email to multiple individuals without using the BCC function – exposing the PHI of 912 patients.
• There are 34 similar HIPAA violation email examples when the BCC function was not used recorded in HHS’ Office of Civil Rights Breach Report Archive.
• In May 2023, an employee of ReDiscover Mental Health, MO, sent an email containing the PHI of 877 individuals via an unencrypted email service.
• In March 2023, an employee of Yardley Dermatology Associates, PA, inadvertently attached a spreadsheet containing the PHI of 523 individuals to an email sent to four patients.
• In February 2023, an employee of White Bird Clinic , OR, emailed the PHI of 584 individuals to the wrong recipient in error.
• In January 2023, an employee of Minnesota Department of Human Services inadvertently emailed the billing statements of 4,307 individuals to an unauthorized individual.

In addition to the HIPAA violation email examples attributable to human error, there are many examples of employees impermissibly emailing PHI to personal addresses. In many cases, the thefts are identified before PHI can be misused to commit health care fraud or identity theft. But there are some cases in which the violations have been notified to HHS’ Office for Civil Rights, who have then referred the violations to the Department of Justice for criminal prosecutions.

How to Prevent Violations of the HIPAA Email Rules

To prevent violations of the HIPAA email rules, it is important that covered entities and business associates understand when patient names qualify as PHI under HIPAA, under what circumstances patient names can be permissibly disclosed in emails – or are exempted from the HIPAA requirements – and what safeguards need to be implemented to ensure the confidentiality, integrity, and availability of PHI when patient names are sent in emails.

This information then has to be used to develop policies for disclosing patient names in emails and procedures for when exceptions to the policies apply – for example, when a patient exercises the right to receive a copy of their PHI via email. Members of the workforce then have to receive HIPAA training on the policies and procedures and be advised of the sanctions – including possible criminal sanctions – for violating the policies and procedures.

In addition to policy and procedures training, all members of the workforce must participate in a security awareness training program to mitigate the threat from phishing. Although many HIPAA compliant email services now include AI-powered anti-phishing capabilities, the speed at which the sophistication of phishing attacks is increasing can sometime outpace advances in phishing detection. Human susceptibility stills remains the hacker’s best friend!

Is it a Good Idea to Apply HIPAA Protections to all Patient Information?

It is not a good idea to apply HIPAA protections to all patient information because there may be times when members of the workforce who do not have the permission to access PHI need to access non-health information such as patient names and telephone numbers.

In such circumstances, staff with permission to access PHI may have to be stopped from working to help staff without the appropriate permissions, or passwords might be shared impermissibly.

However, it can be a good idea to ensure all email communications of patient information – whether protected by HIPAA or not – are received, maintained, or transmitted via a HIPAA compliant email service.

This not only has the advantage of having to implement different policies and procedures depending on whether patient information is protected, but can also help covered entities comply with privacy legislation in states in which covered entities are not exempted.

Covered entities and business associates who would like to find out more about HIPAA compliant email services, HIPAA compliant plug-ins for existing for existing email services, and the different types of encryption are advised to contact a range of vendors and request free trials whenever available. This will not only help identify the most suitable email services, but also give administrators experience in configuring the services to mitigate the risk of HIPAA violations.

Is It a HIPAA Violation to Email Patient Names FAQs

If a patient consents to receiving unencrypted emails, and then changes their mind, can they withdraw their consent?

If a patient consents to receiving unencrypted emails and then changes their mind, they can withdraw their consent. Under 45 CFR § 164.508 (“Uses and Disclosures for which an Authorization is Required”) a patient can withdraw their consent for any authorized disclosure at any time. The text of the HIPAA Privacy Rule states the patient must withdraw their consent in writing, and the patient should be made aware of this requirement (i.e., via a HIPAA Notice of Privacy Practices). A copy of the original authorization form and the notice of withdrawal must be kept for six years from the date consent is withdrawn.

What access controls need to be in place to prevent emails being opened by unauthorized individuals?

The access controls that need to be in place to prevent emails being opened by unauthorized individuals may vary from organization to organization depending on what other mechanisms are in place to protect ePHI. Generally, devices used to access emails must have PIN-locking capabilities (or equivalent – i.e., biometric login) and automatic logoff. Thereafter, authorized individuals should be issued with a unique username and password to access the email account, or an alternate access control such as Single Sign On.

How do you send encrypted emails to a patient?

Most HIPAA compliant email services can be configured to send encrypted emails by default. However, if the email service used by the recipient of the email does not have the capabilities to decrypt the email, the email will either be returned to the sender or delivered to the recipient in an unencrypted format. It is important for covered entities and business associates to select which encryption protocols are used with care. Some (i.e., S/MIME) encrypt the content of the email rather than the connection between sender and recipient (i.e., TLS). This can mean anti-virus and anti-phishing solutions are unable to decipher the content of an email to identify threats.

Is it safer to send ePHI as an attached password protected document?

It can be safer to send ePHI as an attached password protected document. However, this process is not 100% secure. If the email is intercepted or the mail server is compromised, simple passwords can be cracked within seconds by brute force algorithms. When you send an attached password protected document, you will also have to send the password to the recipient of the email using an alternate communication channel for security.

How do you use a service such as Google Drive to email patient names securely?

To use a service such as Google Drive to email patient names securely, there are several steps you need to take. These include subscribing to a Google Workspace account that supports HIPAA compliance, agreeing to the terms of Google’s Business Associate Addendum, and configuring the service to disable third party apps, add-ons, and offline storage. (You will find all the necessary steps in this article). Although it is not necessary for the recipient to have a Google account to open a document sent from Google Drive, the service is more secure if they have one.

Can HIPAA information be emailed?

The issue of whether HIPAA information can be emailed is complicated. It can depend on what mechanisms are in place to protect the content of the email, who is sending the email, who it is being sent to, the content of the email, and whether the subject of the HIPAA information has provided their written authorization for unsecured PHI to be communicated by email.

What is the most common HIPAA violation email example?

The most common HIPAA violation email example recorded by HHS’ Breach Report is the failure to blind copy recipients when sending bulk healthcare-related email. In such cases, it does not matter what the content of the email is. The fact that each recipient can identify who else has received an email from the healthcare provider – which implies a past, present, or future treatment relationship between healthcare provider and each individual – is an impermissible disclosure of PHI.

What are the HIPAA email rules?

There are no specific HIPAA email rules in the HIPAA Administrative Simplification Regulations other than it is permissible to send an electronic copy of a HIPAA Notice of Privacy Practices to individuals if it is not practical to give individuals a paper copy (i.e., when an individual joins a group health plan). The HIPAA Rules that govern emails are the same as apply to any communication of PHI in the HIPAA Privacy and Security Rules – and, by association, in the Breach Notification Rule.

Is a first name PHI in the context of HIPAA name rules?

A first name can be PHI in the context of HIPAA name rules if it is maintained or transmitted with individually identifiable health information. With regards to is it a HIPAA violation to email patient names, it can be a violation if there are no safeguards in place to limit the risk of a data breach to a reasonable and appropriate level or if the patient has not given their consent to receive emails from the sender after having been warned of the risks.

Why is it necessary to enter into a Business Associate Agreement before sending patient information via email?

It is necessary to enter into a Business Associate Agreement before sending patient information by email because, even if emails are encrypted, email service providers have what is known as “persistent access” to ePHI. Most email service providers are happy to enter into a Business Associate Agreement provided the covered entity or business associate subscribes to a business plan (i.e., a business Google Workspace plan rather than the consumer Gmail service).

What training should be provided about HIPAA compliance email rules?

The training that should be provided about HIPAA compliance email rules will depend on each entity’s privacy and security policies. However, the basics include explaining what PHI is, permissible uses and disclosures, why it is important not to share unique identifiers (i.e., passwords), and limiting the content of emails to the minimum necessary to achieve the purpose of the email.

All members of the workforce are required to participate in HIPAA security awareness training. This training should cover topics such as double-checking who an email is sent to, ensuring individuals have given their consent to receive emails containing PHI, and raising awareness about phishing – especially what to do if members of the workforce disclose login credentials.

Is it a HIPAA violation to email medical records?

It is not a HIPAA violation to email medical records provided the communication is permitted by the HIPAA Privacy Rule, that safeguards are in place to comply with the HIPAA Security Rule, and – if emailing medical records to a patient – that the patient has consented to receiving PHI by email. In such cases, PHI in the email must be limited to the minimum necessary to achieve the purpose of the email and care must be taken to ensure it is sent to the correct recipient(s).

Is a patient’s name protected under HIPAA?

A patient’s name is protected under HIPAA all the time it is maintained or transmitted with individually identifiable health information in the same designated record set. If maintained in a database that does not contain individually identifiable health information (“health” emphasized for effect), the patient’s name is not protected.

Is disclosing a patient’s name a HIPAA violation?

Disclosing a patient’s name can be a HIPAA violation if the name is disclosed for an impermissible purpose by a member of a covered entity’s workforce and the disclosure includes individually identifiable health information or implies a past, present, or future treatment relationship. However, if the disclosure is permitted, if it is made by somebody other than a member of a covered entity’s workforce, or if the disclosure does not reveal PHI (actual or implied) it is not a violation of HIPAA.

Does HIPAA allow email?

HIPAA allows email provided that – if PHI is disclosed in the email – safeguards are deployed to ensure the confidentiality, integrity, and availability of the PHI, the email relates to a permissible disclosure of PHI, and – if the recipient of the email is a plan member or patient – consent has been obtained to send PHI by email. If PHI is not disclosed in the email, HIPAA does not apply.