Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information.

Is it a HIPAA Violation to Email Patient Names?

Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule.

HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.

It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and viewed.

Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.

Must all Emails Containing PHI be Encrypted?

HIPAA does not require the use of encryption. Encryption is only an addressable implementation specification. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place.

In the case of internal emails, it would not be necessary for messages containing ePHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls would also need to be in place to prevent messages from being opened by individuals not authorized to receive the information.

If emails containing PHI are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must have been made aware of the risks of sending PHI via unencrypted email and must have given authorization to use such a potentially unsecure method of communication.

Emailing ePHI to all other individuals using unencrypted email is a risky strategy. While HIPAA encryption requirements are somewhat vague, in the event of a HIPAA audit or data breach investigation, it would be hard to argue that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.

Emailing Patient Names FAQs

If a patient consents to receiving unencrypted emails, and then changes their mind, can they withdraw their consent?

Under 45 CFR § 164.508 (“Uses and Disclosures for which an Authorization is Required”) a patient can withdraw their consent for any authorized disclosure at any time. The text of the Privacy Rule states the patient must withdraw their consent in writing, and the patient should be made aware of this requirement (i.e., via a Notice of privacy Practices). A copy of the original authorization form and the notice of withdrawal must be kept for six years from the data consent is withdrawn.

What access controls need to be in place to prevent emails being opened by unauthorized individuals?

Access controls may vary from organization to organization depending on what other mechanisms are in place to protect ePHI. Generally, the device used to access emails must have PIN-locking capabilities (or equivalent – i.e., biometric login) and automatic logoff. Thereafter, authorized individuals should be issued with a unique username and password to access the email account, or an alternate access control such as Single Sign On.

How do you send encrypted emails to a patient?

Most email services can be configured to send encrypted emails (including Outlook, Google, Yahoo, etc.). However, if the recipient of the email does not have the technical ability to decrypt the email or has an email filter configured to reject encrypted emails (because the filter cannot read the content of the email), sending an encrypted email to a patient will be a waste of time because it will either sit unopened in their inbox indefinitely or be returned by the email filter.

Is it safer to send ePHI as an attached password protected document?

While sending ePHI as an attached password protected document is safer than sending ePHI in the body of an unencrypted email, it is not 100% secure. If the email is intercepted or the mail server is compromised, simple passwords can be cracked within seconds by brute force algorithms. Furthermore, you will also have to send the password to the recipient of the email using an alternate communication channel for security.

How do you use a service such as Google Drive to email patient names securely?

There are several steps you need to take to use a service such as Google Drive in compliance with HIPAA. These include signing a Business Associate with Google and configuring the service to disable third party apps, add-ons, and offline storage. (You will find all the necessary steps in this article). Although it is not necessary for the recipient to have a Google account to open a document in Google Drive, the service is more secure if they have one.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.