HIPAA email: What you need to know

HIPAA covered entities and their business associates must familiarize themselves with various HIPAA email facts to ensure the confidential handling of patient information. HIPAA email facts include frequently asked questions, misconceptions, and HIPAA compliant email communication guidelines. 

Frequently Asked Questions

1. Can I use email to communicate with patients about their health information?

Yes, you can use email for patient communication when you follow specific guidelines to ensure the privacy and security of sensitive health information. HIPAA mandates that all email communication containing protected health information (PHI) be secure. This means using a HIPAA compliant email service that encrypts messages during transmission and when stored.

2. Do I need patient consent before sending them PHI via email?

Absolutely, you must obtain patient consent before sending PHI via email. This consent should specify that the patient is agreeing to receive PHI via email and that they understand the risks involved. 

Related: How to obtain patient consent for email communication

3. What are the risks of sending PHI by email?

• Interception: Unauthorized individuals may intercept emails with PHI, potentially gaining access to sensitive patient information.
• Misdirected emails: Human errors happen, and emails may be accidentally sent to the wrong recipient. That can potentially disclose PHI to unauthorized individuals.
• Insecure storage: Emails containing PHI may be stored insecurely on email servers, devices, or cloud services, allowing unauthorized access to the information. 
  
  

4. How can I reduce the risks of sending PHI by email?

In addition to using a secure email service, there are several steps you can take to minimize the risks associated with sending PHI via email:

• Minimize PHI disclosure: Disclose the minimum necessary information for the intended purpose.
• Use strong passwords and access controls: Implement strong password policies for email accounts and ensure that only authorized individuals can access these accounts.
• Regularly scan for malware: Regularly scan email systems for malware and implement appropriate security measures to protect against cyberattacks.
  
  

Common misconceptions

1. HIPAA does not apply to email communication.

HIPAA regulations apply to all forms of communication that involve the transmission of PHI, whether through email, phone calls, or any other medium. 

2. HIPAA requires all emails containing PHI to be encrypted.

While encryption is highly recommended and a best practice for secure email communication, HIPAA doesn't mandate its use for all emails containing PHI. 

Read more: Do emails have to be encrypted for HIPAA compliance?

3. HIPAA is only for healthcare providers.

HIPAA covers a broader range of entities, including health plans and clearinghouses. Any organization or entity that handles PHI in the United States must comply with HIPAA regulations.

Read more: Who needs to be HIPAA compliant?

Guidelines for HIPAA compliant email communication

1. Use HIPAA compliant email services: Secure email services provide encryption and other security features to protect PHI during transmission and storage. 
2. Obtain patient consent: Obtain explicit consent, in writing or verbally, before sending emails with PHI. 
3. Verify recipient identity: Confirming the identity of the email recipient can be achieved by checking their email address against a directory of authorized recipients or verifying it through previous email correspondence.
4. Limit PHI disclosure: If it's necessary to disclose PHI, minimize the amount of information shared and use appropriate language to protect patient privacy. 
5. Train employees on HIPAA email security: Provide comprehensive training to all employees who handle PHI via email. 

Go Deeper: HIPAA compliant email: The definitive guide