Can you use email to transmit PHI?

You can use email to transmit PHI, but only if specific security measures and compliance requirements are met.

Protected health information includes any individually identifiable health information created, received, maintained, or transmitted by covered entities and their business associates. This includes medical records, test results, billing information, appointment details, and even basic information like a patient's name when combined with health-related data.

HIPAA doesn't explicitly prohibit sending PHI via email. However, it does require that covered entities implement appropriate safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). So while email isn't banned, it must be secured properly to meet regulatory standards. HIPAA compliant email services like Paubox are designed for healthcare with enhanced security features. 

According to the HIPAA Compliance for Email news article, "HIPAA compliance for email is not necessary if PHI is not communicated in emails. For example, if information about a patient communicated in an email does not contain individually identifiable health information, the information in the email is not protected by the Privacy Rule."

The risks of standard email

When you send a standard email, it passes through multiple servers and networks before reaching its destination, creating numerous opportunities for unauthorized access.

Standard email lacks several security features:

• No encryption: The message content is readable to anyone who intercepts it
• Limited access controls: Once sent, you can't control who forwards or accesses the email
• No audit trails: You may not know who has viewed the information
• Minimal authentication: It's relatively easy to spoof email addresses

These vulnerabilities make unencrypted email unsuitable for PHI transmission without additional safeguards. Donna Vanderpool documents a case in "HIPAA COMPLIANCE: A Common Sense Approach," where "a Texas health system following three data breach reports involving the theft of an unencrypted laptop from an employee's home and the loss of two USB drives containing the unencrypted ePHI of more than 33,500 individuals. The covered entity was ordered to pay $4.3 million in penalties."

The threat of phishing attacks

Email systems are vulnerable to phishing attacks, one of healthcare's most common breach vectors. According to the HHS Office for Civil Rights, "Hacking is one of the most common types of large breaches reported to OCR every year." In a 2020 settlement announcement, OCR Acting Director Anthony Archeval emphasized that "HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients' protected health information."

An example comes from PIH Health, Inc., a California health care network that settled with OCR for $600,000 following a phishing attack. In June 2019, attackers compromised forty-five employee email accounts, resulting in a breach affecting 189,763 individuals. The compromised ePHI included names, addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information. This case shows how a single successful phishing attack can expose large amounts of sensitive patient data when email security measures are inadequate.

Making email HIPAA compliant

To lawfully transmit PHI via email, healthcare organizations must implement security measures. The most critical requirement is encryption, which scrambles the email content so only authorized recipients can read it.

Current encryption standards

According to HIPAA Compliance for Email, "The current HIPAA encryption requirements are a minimum of AES-128 encryption for PHI at rest and TLS 1.2 for encryption in transit." These standards represent the baseline for compliance, though organizations may choose to implement even stronger encryption protocols.

Vanderpool states, "OCR expects all portable devices with ePHI, such as cell phones and laptops, to be appropriately encrypted." This principle extends to email systems that store or transmit PHI.

Beyond encryption

Beyond encryption, HIPAA compliant email requires additional safeguards including authentication mechanisms, access controls, automatic logoff features, and audit logging to track who accesses PHI and when.

Identity verification is essential. As noted in HIPAA Compliance for Email, "Section 164.312(d) of the Security Rule requires procedures to be implemented that 'verify a person or entity seeking access to electronic protected health information is the one claimed.'" This protects against email account takeovers and unauthorized access attempts.

OCR recommends that healthcare organizations implement specific security measures, including mechanisms to authenticate information and ensure only authorized users are accessing ePHI. 

The importance of risk analysis

Healthcare organizations must conduct thorough risk assessments of their email systems. Vanderpool describes how "a network of medical providers paid $3.5 million to OCR in settlement after reporting five breaches to OCR. Upon investigation, OCR found a failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI."

OCR's investigation found that PIH had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization. This failure was among the multiple potential violations that led to the $600,000 settlement.

Under the terms of PIH's corrective action plan, the organization was required to conduct a proper risk analysis, develop and implement a risk management plan to address identified vulnerabilities, and revise its written policies and procedures to comply with HIPAA Rules. This two-year monitored corrective action plan shows OCR's expectation that organizations must proactively identify and address security gaps before they lead to breaches.

OCR recommends that covered entities identify where ePHI is located within the organization, including how it enters, flows through, and leaves information systems. Organizations should integrate risk analysis and risk management into their business processes as an ongoing practice.

Business associate agreements

When using third-party email service providers, healthcare organizations must establish proper legal safeguards. HIPAA Compliance for Email emphasizes that "Before any PHI is disclosed to a cloud email service provider, it is necessary to enter into a Business Associate Agreement with the provider." This agreement ensures the service provider understands and accepts their responsibilities for protecting PHI.

Vanderpool defines a business associate as "a person or entity other than a member of a workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information." Vanderpool documents an enforcement action where "one physician group had to pay $500,000 to settle an OCR investigation that found the group failed to have a BAA with the group's billing service."

Best practices for email PHI transmission

Healthcare organizations should establish clear policies governing email use for PHI. These policies should specify when email is appropriate, what types of information can be shared, and what security measures must be in place, including:

1. Always verify recipient email addresses before sending PHI

A simple typo could send sensitive information to the wrong person, creating a serious breach. Consider using address books or auto-complete features that reduce manual entry errors.

2. Minimize the PHI included in emails

The principle of "minimum necessary" is important. According to HIPAA Compliance for Email, "The minimum necessary standard requires covered entities and business associates where applicable to only disclose the minimum necessary PHI by email to achieve the purpose of the disclosure."

Read also: What is the Minimum Necessary Standard?

3. Protect email metadata

HIPAA Compliance for Email warns, "Most encryption solutions do not encrypt email metadata such as the subject lines of emails so that email inboxes are searchable. Organizations must implement HIPAA email policies that prohibit disclosures of PHI in the subject lines of emails and in the file names of attachments." Even with encrypted email bodies, exposed subject lines containing patient names or diagnoses can constitute a breach.

The challenge of working with limited email information is well-documented in cybersecurity research. As noted in Implementing Active Learning in Cybersecurity: Detecting Anomalies in Redacted Emails, security analysts often face situations where "the data provided to the analysts did not contain email body and attachment details... Thus, in this screening/filtering stage, human judges were forced to make labeling decisions based on subject lines, file names, and some user-identifiable information." This demonstrates that even when email bodies are protected or redacted, the metadata itself contains sensitive information that requires protection.

The same research proves that decision-making becomes more difficult when information is limited, "Experts may not have complete confidence in the labels they are assigning, either because their knowledge in the domain is limited, or because the privacy of data does not allow them to have access to all the relevant information (as may often be the case in email anomaly detection)." This shows why protection of all email elements, not just the body content, is essential for maintaining privacy and security.

4. Use disclaimers and confidentiality notices

While not a substitute for encryption, these notices remind recipients of their obligations regarding the sensitive information and provide guidance on what to do if they receive the email in error.

5. Train staff regularly on email security protocols

Human error remains one of the biggest security vulnerabilities. As Vanderpool recommends in her compliance checklist, healthcare organizations should "train all employees on HIPAA's requirements, your policies and procedures, and the potential for harmful phishing emails. Document the initial and annual training, and consider having employees sign confidentiality agreements."

The PIH Health breach shows how vital training is. The phishing attack that compromised forty-five employee accounts could potentially have been prevented or minimized with security awareness training. Under PIH's corrective action plan, the organization was specifically required to train its workforce members who have access to PHI on its HIPAA policies and procedures—a requirement that OCR considers fundamental to compliance.

Employees need to understand the technical requirements and why these safeguards matter for patient privacy. Research on email anomaly detection found that "the whole process usually took roughly two business days (every week) to be completed, which included filtering from roughly 10,000 emails, screening and reviewing over 1000 filtered emails." 

OCR says that workforce training should be regular and specific to both the organization and to individual job duties. Training should cover compliance requirements and practical threat recognition, such as identifying phishing attempts before clicking on malicious links or providing credentials to attackers.

Breach notification requirements

Organizations must also understand their obligations when a breach occurs. The PIH Health case highlights a compliance failure, the organization failed to notify affected individuals, the HHS Secretary, and the media of the breach within 60 days of its discovery. This notification failure was among the potential violations identified in OCR's investigation.

HIPAA's Breach Notification Rule requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days following discovery of a breach. For breaches affecting 500 or more individuals, organizations must also notify prominent media outlets and HHS. These notification requirements exist to ensure that affected individuals can take steps to protect themselves from potential harm resulting from the breach.

Patient authorization and email

HIPAA allows patients to request that their PHI be sent via unencrypted email if they're informed of the risks. However, healthcare organizations should document these requests and ensure patients truly understand the security implications.

Many organizations require patients to sign acknowledgment forms indicating they accept the risks of unencrypted email communication. Even with patient consent, organizations should still consider whether more secure alternatives exist.

Read also: Paubox HIPAA compliant email

FAQs

What qualifies as Protected Health Information (PHI)?

PHI includes any health-related information that can identify an individual, such as medical records, test results, or billing details.

Is email banned under HIPAA for transmitting PHI?

No, HIPAA doesn’t prohibit email but requires that security safeguards be implemented before transmitting PHI.

Why is standard email not secure for PHI?

Standard email lacks encryption, authentication, and audit trails, leaving messages vulnerable to interception.

What type of encryption is needed for HIPAA compliant email?

HIPAA recommends at least AES-128 encryption for data at rest and TLS 1.2 for data in transit.