Email is a valuable and convenient means of communication. Can healthcare companies employ email to deliver the electronic protected health information of patients? Do they violate the HIPAA Rules when they do this?
There’s no rule in HIPAA which states that PHI cannot be electronically transmitted. HIPAA-covered entities may use email or any electronic communication to send ePHI provided that appropriate safeguards are applied to ensure the confidentiality, integrity, and availability of PHI.
Below are important points to keep in mind when using email to send ePHI.
Although no HIPAA rule is violated when emailing patient names, it is necessary to remember not to use the name of the patient and other PHI on the email’s subject line. Putting sensitive information in the subject line could allow unauthorized individuals to view the information. The message may be encrypted in transit, but other information such as the To and From fields and the subject line are usually not encrypted.
Whenever emailing PHI, make sure the email is sent to the correct person. Many privacy breaches have occurred as a result of emails sent to the wrong people.
HIPAA does not require encryption, but the decision to encrypt or use other controls should be determined through risk analyses and risk management processes. If encryption is not used, an alternative control must be used that provides an equivalent level of protection. When sending internal messages, there’s no need to use encryption as the messages will be protected by the firm’s firewall. Nonetheless, there should be access controls in place to make sure messages can only be opened only by authorized persons.
Whenever emailing PHI beyond the firewall, there is a high risk that unauthorized persons could intercept and see the messages so encryption is strongly recommended.
Don’t forget to get patients’ written consent before sensitive information is sent via email. Patients need to be informed of the risks of receiving PHI via unencrypted email.
Rather than use encryption for email, you can consider implementing policies that require PHI only to be sent through HIPAA-compliant data sharing services such as Box, Google Drive and Dropbox.
Patient Names in Emails: FAQ
Do email services need to use encryption to be HIPAA compliant?
The HIPAA Security Rule sets out the minimum administrative, physical and technical safeguards needed to protect the integrity of PHI. However, it does not detail which technologies need to be used. This was deliberate, as it means that the Security Rule does not need to be updated every time an advancement in technology is made. It does, however, cause confusion amongst CEs and BAs. So even though it is not stipulated by the HIPAA Security Rule, CEs and BAs should use encrypted email services whose standards are in line with current best practices.
If emails are encrypted, can they contain information such as the patient’s name?
It is important to note that even when emails are encrypted, there are certain fields of the email that are not usually encrypted. This includes the To and From fields, as well as the subject line. If the patient's name is included in any of these fields, it is more vulnerable than if it was in the body of the email. Additionally, consent must be obtained from the patient before their name (and other PHI) is disclosed via emails.
Can HIPAA violations result from sharing patient names via email?
Unfortunately yes, HIPAA violations can occur. Accidental violations may occur if the patient’s name is in the subject of an email and the email account is left open on a desktop. Even if the email isn’t open on the screen, any individual who sits down at the computer may see the patient’s name. Violations can also occur through human error, for example, if an email is sent to an unauthorized individual. To prevent such breaches, all employees should receive regular and up-to-date HIPAA training.
Are there alternatives to email?
Though email is extremely useful, if it is used to transmit PHI, it may lead to accidental HIPAA violations. CEs could consider using password-protected attachments to emails, and refrain from including any PHI in the subject line or body of the email. Alternatively, cloud services such as Google Drive or Microsoft 365 could be used to share data.