Paubox blog: HIPAA compliant email made easy

Identifying PHI in emails

Written by Tshedimoso Makhene | October 03, 2024

Identifying protected health information (PHI) in an email helps maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA). To do this, healthcare providers must understand the various forms PHI can take and adopt the best practices for protection. 

 

What is protected health information (PHI)?

PHI is any information relating to health status and provision or payment for healthcare that can be linked to a specific individual. PHI can be found in various forms, including medical records, health insurance claims, and even conversations between healthcare providers and patients.

To be considered PHI, two elements must be present:

  • Health information: Information regarding an individual’s health status, diagnosis, treatment, or healthcare services.
  • Personal identifiers: Data that can be used to identify the individual the health information pertains to. 

 

18 identifiers of PHI

HIPAA defines 18 specific identifiers that, when associated with health information, classify it as PHI. These identifiers are critical in ensuring that sensitive information remains protected. They include: 

  1. Names (full names or last names and initials)
  2. Geographic data (address, city, county, ZIP code, etc.)
  3. Dates (birth date, admission date, discharge date, etc.)
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers (e.g., license plates)
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers (fingerprints, voiceprints)
  17. Full-face photographs and any comparable images
  18. Any other unique identifying number, characteristic, or code

Go deeper: What are the 18 PHI identifiers?

 

PHI in emails

“E-mail is now a primary method of correspondence in health care,” writes Malka, et al. Many providers use emails to communicate with patients or other providers. However, emails are also vulnerable to interception, unauthorized access, and breaches. According to Forbes cybersecurity statistics, “More than 94% of organizations reported email security incidents” in 2023. Without proper protection, PHI sent through email can fall into the wrong hands, leading to privacy violations, financial penalties, and loss of trust.

Related: Can you use email to transmit PHI?

 

How to identify PHI in emails

Identifying PHI in emails requires attention to detail, as PHI can appear in many different forms. Here are key areas to focus on when reviewing emails for PHI:

 

Personal identifiers

Personal identifiers are a component of PHI. If an email contains any of the 18 HIPAA-defined identifiers alongside health information, it qualifies as PHI. Even partial identifiers, like initials or truncated addresses, can still be considered PHI if it can be traced back to an individual.

Some examples include: 

  • A patient’s full name and diagnosis (e.g., "John Doe was diagnosed with diabetes.")
  • An insurance claim number with a medical condition (e.g., "Insurance claim #12345 for Mary Smith related to her recent heart surgery.")
  • An email address that clearly identifies a patient along with treatment information (e.g., "jane.doe@domain.com – Upcoming physical therapy appointment for back pain").

 

Health-related information

Any mention of a patient's condition, treatment plan, medication, or healthcare services provided, qualifies as health-related information. Examples of health-related information in emails:

  • "Mr. Johnson has been prescribed insulin for his type 2 diabetes."
  • "Please find attached the MRI results for Sarah’s knee injury."
  • "Dr. Lee suggested physical therapy for the chronic shoulder pain."

 

Financial information related to healthcare:

Emails discussing billing or payment details related to healthcare services also contain PHI, including payment information, insurance claims, or any details about financial transactions tied to healthcare. Examples of financial information in emails:

  • "A payment of $500 has been received for the surgery performed on Jane Doe."
  • "The insurance claim #54321 for John's hospitalization was approved."
  • "Please send the invoice for the knee surgery to patient Mary Johnson."

 

Photographs and images:

Emails that contain patient images, such as X-rays, photographs, or any media showing distinguishing characteristics (like tattoos or facial features), are also considered PHI. These images can reveal sensitive information if it can be linked to an individual. Examples include: 

  • A photograph of a patient’s face with a medical condition.
  • An X-ray attached to an email with patient identifiers.
  • A video of a patient explaining their symptoms or condition.

 

IP addresses and web activity:

Emails containing digital information such as IP addresses or web activity tied to healthcare services can also be classified as PHI. For instance, an email that records a patient’s access to a health portal can fall under PHI if it includes identifiers. Below is an example of web activity:

  • "The patient accessed their health records via the patient portal from IP address 192.168.0.1."

 

Best practices for handling PHI in emails

To ensure compliance with HIPAA and protect PHI in emails, healthcare providers and organizations must adopt best practices, which include:

  • Use secure email encryption: Encrypt emails that contain PHI to protect them from unauthorized access during transmission. Encryption ensures that even if an email is intercepted, the information remains unreadable without the appropriate decryption key.
  • Limit the use of PHI: Wherever possible, avoid including PHI in emails. Use de-identified information (removing or obscuring all personal identifiers) when communicating about patients via email. For instance, refer to patients by a unique ID number instead of their name.
  • Verify recipient information: Before sending an email containing PHI, double-check that the recipient's email address is correct to avoid sending sensitive information to the wrong person.
  • Obtain patient consent: Ensure that patients have provided explicit consent to receive PHI through email. Inform them about the risks of unsecured email and obtain written acknowledgment of their preference.
  • Monitor and train staff: Regularly train staff on HIPAA compliance and email security best practices. Set up monitoring systems to flag and review emails that may inadvertently contain PHI.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

How can I reduce the risk of including PHI in emails? 

To minimize the risk of including PHI in emails:

  • Avoid sending unnecessary personal or health information via email.
  • De-identify data wherever possible (e.g., using patient ID numbers instead of names).
  • Use secure email services to transmit sensitive information.
  • Implement email encryption for any message containing PHI.

 

What happens if PHI is breached through email? 

If PHI is breached, the organization may be required to report the incident under HIPAA’s breach notification rules. This includes notifying affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. Penalties can range from fines to legal action, depending on the severity of the breach and whether the organization had appropriate safeguards in place.

See also: What are the consequences of non-compliance with HIPAA email rules?