Yes, email addresses are protected by HIPAA based on the Privacy Rule and the identifiers that need to be de-identified for any health information to be considered anonymous.
The HHS offers the following definition of protected health information, "The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information."
Protected Health Information (PHI) under HIPAA refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service and includes a wide range of personal identifiers that could potentially reveal the identity of an individual.
HIPAA's Privacy Rule, specifically Sections 160 and 164 of the Act, sets standards for the protection of PHI held by covered entities like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.
The identifiers, of which there are 18, are found within 45 CFR § 164.514(b)(2)(i).
See also: What are the 18 PHI identifiers?
https://www.youtube.com/watch?v=paUlycrz6A4
According to The Privacy Rule, "All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses…"
Yes, email addresses are considered PHI under HIPAA when they are associated with medical information that can identify an individual. According to the Privacy Rule, specifically the implementation specifications for the de-identification of PHI, any email addresses must be stripped from health records to achieve de-identification.
This requirement is in place because an email address can be a direct link to an individual's identity, particularly when combined with other health related information. By removing email addresses along with other identifiers, such as names and social security numbers, health information can be rendered anonymous.
See also: Top 12 HIPAA compliant email services
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding medical information.
Email addresses are protected because they can be used to identify an individual and possibly reveal their health information if they are part of a medical record or are used for communication about healthcare services.
A BAA is a contract between a HIPAA covered entity and a vendor with access to PHI, including email addresses.