Healthcare organizations must ensure HIPAA compliance when emailing invoices to vendors if those invoices contain protected health information (PHI). To do this, they should use HIPAA compliant email services with encryption, limit the inclusion of PHI to the minimum necessary, and secure sensitive attachments with passwords.
HIPAA applies whenever PHI is involved in communication. The HHS defines PHI as "all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "
HIPAA regulations apply if an invoice contains identifiable patient details, such as a patient’s name, treatment type, or service date.
For example, a basic invoice for office supplies may not involve HIPAA. However, when sending a billing statement to a medical service vendor that includes patient names or treatment descriptions, you must treat it as sensitive under HIPAA.
Related: Who needs to be HIPAA compliant?
Healthcare organizations must determine if the document contains PHI before emailing an invoice. If the invoice includes patient details, such as names, treatment descriptions, or other identifying information, it is considered PHI and must be handled accordingly. Whenever possible, limit the amount of PHI included in invoices, and instead use unique codes or identifiers that do not disclose patient identities.
Read more: HIPAA unique identifiers explained
If you must send PHI in an invoice, use a HIPAA compliant email service. Standard email providers are not enough for transmitting PHI securely because they lack the encryption and security features to protect sensitive data. A HIPAA compliant email service ensures your communications are encrypted, protecting the information from unauthorized access while in transit.
Ensure the email provider signs a business associate agreement (BAA) with your organization. The BAA outlines how the email provider will protect PHI and what steps they will take in case of a data breach. Without a BAA, you could be liable for any HIPAA violations related to emailed invoices.
Read more: The consequences of not having a BAA with an email service provider
All HIPAA compliant email services should encrypt email content and attachments for security. Encryption ensures that if an email is intercepted, the data will remain unreadable without the decryption key. When sending attachments containing PHI, password-protect them and share the password through a separate, secure channel.
Apply the “minimum necessary” rule by limiting the amount of PHI shared in invoices to minimize risks. Include only the information required for billing purposes. Avoid referencing patient names, diagnoses, or treatments unless necessary. Use billing codes or anonymized references whenever possible to protect patient privacy.
If the email service you use isn’t secure, consider sending invoices through another platform, like HIPAA compliant text messaging. These platforms offer built-in encryption and security features to protect PHI, reducing the risk of unauthorized access.
If a vendor refuses to sign a BAA and they handle PHI, you should not share any PHI with them. Find an alternative vendor that is willing to comply with HIPAA requirements.
It’s recommended to review invoicing practices at least annually or whenever there are changes in regulations, policies, or vendors, to ensure ongoing compliance with HIPAA.
Under HIPAA, it is helpful to maintain records of emails containing PHI as part of your organization's documentation practices, especially in case of audits or incidents.