Is it a HIPAA violation to forward an email?

While forwarding an email is not inherently a HIPAA violation, if the email contains protected health information (PHI), it must be forwarded with the right safeguards and only to authorized individuals. Forwarding an email without secure transmission or to unauthorized individuals would constitute a HIPAA violation.  

Understanding HIPAA and email communication

According to the US Department of Health and Human Services, "The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so." 

While nearly every healthcare organization communicates through email, HIPAA mandates strict controls over PHI disclosure, including ensuring that the information is encrypted and sent to an authorized user. 

What constitutes a HIPAA violation?

A HIPAA violation occurs when PHI is accessed, used, or disclosed improperly. Violations may occur from providers accidentally disclosing information to the wrong individual or taking improper security measures that could lead to a breach.  

Read more: What violates HIPAA in email?

The risks of forwarding emails with PHI

According to Paubox’s January 2024 breach report, email breaches affected 137,008 people, making it the third most common type breach type.  

Forwarding emails containing PHI introduces more risk to patient confidentiality and could lead to unauthorized disclosure or a data breach. Despite this, there are ways for patients and providers to safely forward emails containing PHI. 

Best practices for HIPAA compliant email forwarding 

• Security measures: Use HIPAA compliant email services with encryption to protect electronic PHI during transmission.
• Minimum necessary information: Adhere to the principle of minimum necessary information, sharing only PHI required for the recipients' purpose.
• Authorization: Verify that recipients are authorized to receive PHI. Obtain explicit patient consent for sharing sensitive information with another provider.
• Staff training and policies: Educate healthcare staff on HIPAA regulations and organizational policies for email communication. 
• Documentation: Maintain detailed documentation of email forwarding activities, including recipient details and reasons for disclosing PHI. 
• Audit: Conduct regular audits of email practices to identify vulnerabilities and ensure adherence to HIPAA standards. 

FAQs

Do I need patient consent every time I forward an email with PHI?

Patient consent is generally required unless forwarding is for treatment, payment, or healthcare operations. For non-routine disclosures, obtain explicit patient consent to avoid potential HIPAA violations.

Can I forward emails with PHI to personal email accounts?

Forwarding PHI to personal email accounts is risky and generally discouraged under HIPAA. Personal email services often lack the security measures to protect PHI, increasing the risk of unauthorized access and potential HIPAA violations.

Read more: Why personal email accounts are not HIPAA compliant

What steps should I take if I receive an email with PHI that was improperly forwarded to me?

Immediately notify the sender and your organization's privacy or compliance officer. Avoid accessing the PHI unless necessary for patient care or authorized by the sender.