HIPAA allows provider-to-provider email communication for treatment, payment, and healthcare operations without patient authorization. However, providers must follow strict security measures. Emails containing PHI must be encrypted, and only the minimum necessary information should be shared. If a third-party email service is used, a business associate agreement (BAA) is required.
Under HIPAA, email communication between healthcare providers is allowed for certain purposes without patient authorization. According to the HHS, "A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations." These purposes include:
Even in these situations, providers must take additional steps to ensure patient information remains protected and shared securely, using only the necessary details and HIPAA compliant email services.
The HIPAA minimum necessary rule requires that providers disclose the least amount of PHI needed to achieve the intended purpose. That helps minimize the potential exposure of sensitive information. For example, when consulting on a patient's condition with another provider, include only the relevant medical data necessary for the consultation. Including extraneous details, like full medical records or unrelated diagnoses, could violate HIPAA standards. Providers should review email content before sending it to ensure compliance with this rule and to reduce risk.
The HHS states that "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.".
Healthcare providers using third-party email services must have a business associate agreement (BAA) with the email provider. Under HIPAA, any third party handling PHI must follow the same security and privacy standards as the healthcare provider. A BAA is required if the email service provider has access to PHI, and it should clearly outline the third party’s responsibility for safeguarding the data, including steps for preventing unauthorized access and breaches. The agreement must also specify how the third party will respond to potential security incidents and ensure ongoing HIPAA compliance. Without a BAA, healthcare providers risk violating HIPAA, which can result in fines and reputational damage.
Related: The consequences of not having a BAA with an email service provider
No, even on a secure network, encryption is required for transmitting PHI to ensure it remains protected in case of interception during transit.
Internal emails that involve PHI are subject to HIPAA rules, and safeguards like encryption and access controls should still be in place to protect patient information.
Providers can email PHI to patients if the patient provides consent and it is done through HIPAA compliant email.