The HIPAA Guide - Celebrating Over 15 Years Online

Is Emailing Patient Names Considered as a HIPAA Violation?

January 3, 2024HIPAA Advice Articles0

Medical Data Breach

Emailing patient names is not considered as a HIPAA violation unless an email also contains unsecured information relating to an individual’s health condition, treatment for the condition, or payment for the treatment AND the individual has not given their consent for Protected Health Information to be sent by email. Even in these circumstances, emailing patient names may not be considered a HIPAA violation if the email is sent internally or the sender is not covered by HIPAA.

To best explain when emailing patients names is considered a HIPAA violation, it is necessary to break down the question into three sections:

  • Are patient names protected by HIPAA?
  • What is a HIPAA compliant email?
  • When do the HIPAA Rules not apply?

Are Patient Names Protected by HIPAA?

HIPAA protects individually identifiable health information relating to an individual’s health condition, treatment for the condition, or payment for the treatment. Information of this nature is maintained in one or more designated records sets. When individually identifiable non-health information (i.e., a name, a telephone number, an email address, etc.) is maintained in the same designated record set(s), the non-health information assumes the same protections as the health information.

However, if non-health information such as patient names are maintained outside of a designated record set in a separate database (for example to manage transport arrangement or volunteer shifts), the patient names by themselves are not protected by HIPAA. In such circumstances, a HIPAA covered entity emailing patient names with no other health, treatment, or payment information included in – or attached to – the email via an unsecure communication channel is not considered a HIPAA violation.

What is a HIPAA Compliant Email?

A HIPAA compliant email can either be an email containing Protected Health Information that complies with the Technical Safeguards of the Security Rule relating to access controls and transmission security, or an email sent to an individual who is the subject of the Protected Health Information and who has requested communications via email, or given their implied consent to receive communications via email by making an initial contact via email.

In the former case, there are many email services available that can be configured to comply with the Technical Safeguards of the Security Rule (i.e., Outlook, Gmail, Paubox, etc.). In the latter case, it is advisable to alert the individual that communicating Protected Health Information by email – although compliant in the circumstances – does have risks attached. If the individual still wishes to communicate by email, the warning and the individual’s repeated request should be documented.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

When do the HIPAA Rules not Apply?

The HIPAA Rules for emailing patient names do not apply when emails are sent internally or when the sender of an email is not covered by HIPAA. However, in the first scenario, controls must be in place to ensure emails containing Protected Health Information cannot be sent outside the internal network (i.e., Data Loss Prevention), while in the second scenario, emails sent by an entity not covered by HIPAA to an entity covered by HIPAA are subject to HIPAA once they are received.

In conclusion, there can be scenarios in which emailing patient names is considered a HIPAA violation and scenarios in which emailing patient names is permissible or the HIPAA Rules do not apply. Covered entities and business who are unsure about when emailing patient names is considered a HIPAA violation should seek professional compliance advice in order to avoid accidental HIPAA violations attributable to a lack of knowledge.

Patient Names in Emails: FAQ

Do email services need to use encryption to be HIPAA compliant?

Email services do not need to use encryption to be HIPAA compliant. The HIPAA Security Rule sets out the minimum administrative, physical, and technical safeguards needed to protect the integrity of PHI. However, it does not detail which technologies need to be used. This was deliberate, as it means that the Security Rule does not need to be updated every time an advancement in technology is made. It does, however, cause confusion amongst CEs and BAs. So even though it is not stipulated by the HIPAA Security Rule, CEs and BAs should use encrypted email services whose standards are in line with current best practices.

If emails are encrypted, can they contain information such as the patient’s name?

If emails are encrypted, they can contain information such as the patient’s name. However, it is important to note that even when emails are encrypted, there are certain fields of the email that are not usually encrypted. This includes the To and From fields, as well as the subject line. If the patient's name is included in any of these fields, it is more vulnerable than if it was in the body of the email. Additionally, consent must be obtained from the patient before their name (and other PHI) is

Can HIPAA violations result from sharing patient names via email?

HIPAA violations can result from sharing patient names via email. For example, accidental violations may occur if the patient’s name is in the subject of an email and the email account is left open on a desktop. Even if the email isn’t open on the screen, any individual who sits down at an unlocked computer may see the patient’s name. Violations can also occur through human error, for example, if an email is sent to an unauthorized individual. To prevent such breaches, all employees should receive regular and up-to-date HIPAA training.

Are there alternatives to email?

There are alternatives to email for communicating PHI. Though email is extremely useful, if it is used to communicate PHI, it may lead to accidental HIPAA violations. CEs could consider using password-protected attachments to emails, and refrain from including any PHI in the subject line or body of the email. Alternatively, cloud services such as Google Drive or Microsoft OneDrive could be used to share data.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement