Are Email Addresses Protected by HIPAA?
Email addresses are protected by HIPAA when they are maintained by or on behalf of a HIPAA covered entity in designated record sets containing individually identifiable health information and the email addresses could identify – or be used to identify – the subject of the individually identifiable health information. However, there are many scenarios in which email addresses are not protected by HIPAA.
To understand when are email addresses protected by HIPAA, it is important to understand what is considered Protected Health Information (PHI) under HIPAA. This is because HIPAA only protects by default individually identifiable health information relating to an individual’s health condition, treatment for the health condition, and payment for the treatment. Information of this nature is maintained in one or more designated record sets by a HIPAA covered entity.
Any other information that could identity – or be used to identify – the subject of the health, treatment, or payment information assumes the same protected status as individually identifiable health information when it is maintained in the same designated record set. Therefore, email addresses maintained in the same designated record set are protected by HIPAA when they could identify the subject of individually identifiable health information.
Are Email Addresses Protected by HIPAA In Other Scenarios?
Whether email addresses are protected by HIPAA in other scenarios is a fact-specific determination. For example, if an individual’s email address is maintained both in a designated record set and in a marketing database (that does not contain health, treatment, or payment information), the email address is protected by HIPAA in the designated record set, but not by HIPAA in the marketing database – where it is likely protected by state data security regulations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
If email addresses of family members and friends are maintained in an individual’s designated record set, the determination depends on whether the individual could be identified by an email address of – for example – a parent who has the same surname or a friend with a common surname. It may also be relevant whether the email address of a family member or friend reveals the relationship with the subject of the individually identifiable health information.
With regards to email addresses belonging to other entities, an employer’s email address in an individual’s designated record set would likely be protected by HIPAA if the individual could be identified by the employer’s email address. However, an email address would be less likely to identify the individual if it were for a state’s Department of Health Care Services or Department of Social Services – in which case the email addresses would not be protected by HIPAA.
The Complexity of Email Address Protection in Email Metadata
The most complex determination relating to email addresses protected by HIPAA is when an email containing individually identifiable health information is sent to the subject of the information. In this scenario, whether the individual’s email address in the “to” field of the email is protected by HIPAA depends on what is written in the subject line – assuming the body of the email is encrypted to protect the security of individually identifiable health information.
The ”to” field of an email and the subject line of an email form part of the email’s metadata. The metadata is necessary for routing the email to the recipient’s address and for the recipient’s email filter to check for spam and malware. For this reason, email metadata is not usually encrypted as it can result in delays to the delivery of the email and/or the email being rejected, deleted, or delivered to a junk folder depending on how the recipient’s email filter is configured.
If the subject line contains health, treatment, or payment information, or implies a treatment relationship, the recipient’s email address in the “to” field is protected by HIPAA because the email’s metadata constitutes a designated record set. If the subject line is neutral (i.e., “test result”, rather than “blood test result”), the recipient’s email address in the “to” field is not protected by HIPAA because the metadata does not constitute a designated record set
Patients’ Rights to Waive HIPAA Protection for Email Addresses
To further complicate the issue of when are email addresses protected by HIPAA, patients have rights to waive HIPAA protection for email address. They can exercise these rights by requesting confidential communications in which email addresses are transmitted over non-secure channels of communication, or by authorizing the disclosure of individually identifiable health information – including accompanying identifiers such as email addresses – to a third party.
Patients can also waive HIPAA protection for email addresses when they initiate an exchange of emails with their healthcare provider. According to guidance published by the Department of Health and Human Services (HHS), providers can assume email communications are acceptable to the patient, but are advised (not required) to warn patients of the risks of using unencrypted email and let the patient decide whether to continue with an exchange of unencrypted email.
Because of the many scenarios in which email addresses may or may not have HIPAA protection, HIPAA covered entities are advised to develop policies to clarify when are email addresses protected by HIPAA and when are email addresses not protected by HIPAA. These policies should be explained to workforce members during HIPAA training to prevent avoidable HIPAA violations and unjustified privacy complaints being submitted to HHS’ Office for Civil Rights.
