While forwarding an email is not inherently a HIPAA violation, if the email contains protected health information (PHI), it must be forwarded with the right safeguards and only to authorized individuals. Forwarding an email without secure transmission or to unauthorized individuals would constitute a HIPAA violation.
According to the US Department of Health and Human Services, "The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so."
While nearly every healthcare organization communicates through email, HIPAA mandates strict controls over PHI disclosure, including ensuring that the information is encrypted and sent to an authorized user.
A HIPAA violation occurs when PHI is accessed, used, or disclosed improperly. Violations may occur from providers accidentally disclosing information to the wrong individual or taking improper security measures that could lead to a breach.
Read more: What violates HIPAA in email?
According to Paubox’s January 2024 breach report, email breaches affected 137,008 people, making it the third most common type breach type.
Forwarding emails containing PHI introduces more risk to patient confidentiality and could lead to unauthorized disclosure or a data breach. Despite this, there are ways for patients and providers to safely forward emails containing PHI.
Patient consent is generally required unless forwarding is for treatment, payment, or healthcare operations. For non-routine disclosures, obtain explicit patient consent to avoid potential HIPAA violations.
Forwarding PHI to personal email accounts is risky and generally discouraged under HIPAA. Personal email services often lack the security measures to protect PHI, increasing the risk of unauthorized access and potential HIPAA violations.
Read more: Why personal email accounts are not HIPAA compliant
Immediately notify the sender and your organization's privacy or compliance officer. Avoid accessing the PHI unless necessary for patient care or authorized by the sender.