Paubox blog: HIPAA compliant email made easy

Is it a HIPAA violation to email patient names?

Written by Dean Levitt | May 10, 2023

Email is a primary mode of communication, including in the healthcare industry. However, using email for sharing protected health information (PHI) such as patient names raises a crucial question: is it a HIPAA violation to email patient names? The answer depends on several factors, including the sender, the recipient, and the content of the email. 

Contents:

  1. Is it a HIPAA violation to email patient names?
  2. Is a name considered to be PHI?
  3. When is it a violation to email a patient's name?
  4. When is it not a violation to email patient names?
  5. Should all healthcare emails containing names be encrypted?
  6. What other security steps make an email HIPAA compliant?
  7. Do you need to use a secure portal when sharing PHI?
  8. Is Google and Microsoft Word HIPAA compliant?
  9. What are common HIPAA violations that occur when sending emails?
  10. Is patient consent required to communicate by email?
  11. Can medical records be sent via email?
  12. TL;DR: Key considerations

Is it a HIPAA violation to email patient names?

Emailing patient names can be a HIPAA violation, depending on the context and the safeguards in place. 

HIPAA's Privacy Rule establishes national standards to protect individuals' medical records and other personal health information, setting limits and conditions on the uses and disclosures of such information without patient authorization.

Under the Privacy Rule, covered entities (healthcare providers, health plans, and healthcare clearinghouses) must implement reasonable safeguards to protect PHI from unauthorized access, use, or disclosure. This includes ensuring emails containing PHI are sent securely and only to authorized individuals.

When emailing patient names, healthcare organizations must:

  1. Limit the PHI disclosed to the minimum amount necessary to accomplish the intended purpose.
  2. Obtain patient consent when necessary. If the email communication falls outside the scope of treatment, payment, or healthcare operations, the organization may need the patient's consent before sending an email containing their name or other PHI.
  3. Use appropriate safeguards, including encryption, access controls, and secure HIPAA compliant email systems to protect PHI in email communications.

 

Is a name considered to be PHI?

A name, whether a full name, first name, or last name, is considered Protected Health Information (PHI) under HIPAA if it can be used to identify an individual in conjunction with their health information. The Privacy Rule defines PHI as any information that can be used to identify a person and relates to their past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare services.

According to the Privacy Rule, there are 18 identifiers that, when combined with health information, can be considered PHI. A patient's name is one of these identifiers. Other identifiers include:

  • Dates related to the individual
  • Contact information 
  • Identification numbers 

 

In other words, when a name is used in isolation, without any connection to health information, it is not considered PHI. However, when a name is combined with health information or data that can be traced back to an individual's health, it becomes PHI and falls under the protection of the HIPAA Privacy Rule.

This is open to broad interpretation, and the mere fact that a sender of an email is a healthcare organization is considered health information. As a result, healthcare organizations should assume that any emails they send are subject to HIPAA regulations. 

 

When is it a violation to email a patient's name?

It is essential to understand the specific circumstances surrounding the transmission of patient names via email to determine if it constitutes a HIPAA violation. 

A violation may occur in the following instances:

  • Unauthorized recipients: The email contains PHI, such as a patient's name, and is sent to unauthorized individuals or entities. Unauthorized recipients may include healthcare employees without a legitimate need to access the information, third parties without a Business Associate Agreement (BAA), or external entities not involved in the patient's care.
  • The email is unencrypted: The email is sent unencrypted, and it contains PHI. HIPAA requires that PHI transmitted electronically be protected with appropriate safeguards such as encryption when transmitted over the internet.
  • Unsecure email system: The email is sent using a personal email account or an email system that does not meet HIPAA security standards.

 

When is it not a violation to email patient names?

On the other hand, emailing patient names is not a violation when:

  • Authorized recipients: The email is sent to an authorized recipient with a legitimate need to access the PHI, such as a healthcare provider involved in the patient's care, or a healthcare administrator who needs the information for billing purposes.
  • The email is encrypted: The email is encrypted and sent through a secure email system that meets HIPAA security standards.
  • The patient gives consent: The patient has provided written consent to communicate via email, and the healthcare organization has implemented proper safeguards and policies to ensure HIPAA compliance.

 

Should all healthcare emails containing names be encrypted?

Encryption is a critical security measure that helps protect the confidentiality and integrity of PHI in electronic communications. According to the HIPAA Security Rule, encryption is considered an "addressable" requirement, meaning that covered entities must assess whether encryption is a reasonable and appropriate safeguard for their environment. 

In general, it is highly recommended to encrypt all emails containing PHI - like names - to minimize the risk of unauthorized access or disclosure. 

Encryption is particularly crucial when:

  1. Emails are sent to recipients outside the organization, such as referrals to specialists, consultations with external providers, or communications with third-party vendors.
  2. Emails are sent over public or unsecured Wi-Fi networks, where interception is more likely.
  3. The email content contains highly sensitive information, such as diagnoses, treatment plans, or financial data.

While encryption is strongly recommended for all emails containing PHI, there may be specific situations in which it is not strictly necessary. These scenarios might include the following:

  1. Internal email communication within a secure network where adequate access controls and firewalls are in place to protect against unauthorized access.
  2. Communication with patients who have provided written consent to receive unencrypted emails, acknowledging and accepting the associated risks.

However, it is essential to remember that even in situations where encryption may not be strictly necessary, it is still a best practice to use encryption to protect PHI and reduce the risk of HIPAA violations. By encrypting emails containing PHI, healthcare organizations can help ensure the privacy and security of sensitive patient information.

 

What other security steps make an email HIPAA compliant?

While encryption is essential to HIPAA compliant email communication, healthcare organizations must consider several additional security measures to ensure PHI's privacy and security. 

  1. Access controls: Implementing access controls ensures only authorized individuals can access PHI contained in emails.
  2. Authentication: Healthcare organizations should implement measures to verify the identity of users accessing PHI in email communications, like multi-factor authentication (MFA).
  3. Audit controls: Regularly monitoring and auditing email activities can help detect and prevent unauthorized access, use, or disclosure of PHI. 
  4. Transmission security: In addition to encryption, healthcare organizations should employ additional security measures to protect PHI during transmission, such as secure email gateways, secure file transfer protocols, and virtual private networks (VPNs) for remote access.
  5. Training and awareness: Regular employee training and awareness programs can significantly reduce the risk of human error, a common cause of email-related HIPAA violations. 
  6. Data backup and recovery: Implementing backup and disaster recovery procedures can help protect email data in case of system failures, data breaches, or other incidents. Regular backups and tested recovery plans can minimize data loss and ensure the continuity of operations.
  7. Security risk assessment: Regular risk assessments can help identify potential vulnerabilities in the email system and inform the development of appropriate security measures. A thorough risk assessment should evaluate the organization's email policies, procedures, and technologies to ensure compliance with HIPAA requirements.

 

Do you need to use a secure portal when sharing PHI?

No, portals are not a requirement for HIPAA compliance when it comes to email communication. A secure, encrypted email system that adheres to HIPAA's Privacy and Security Rules is considered compliant.

 

Is Google and Microsoft Word HIPAA compliant?

Both Google and Microsoft offer services that can be HIPAA compliant, provided that specific configurations, settings, and agreements are in place. It is important to note that the tools themselves are not inherently HIPAA compliant; rather, it is how they are used and configured that determines compliance.

 

The email encryption gap

Despite configuring Google Workspace or Microsoft 365 for HIPAA compliance, healthcare organizations may still face encryption gaps due to the recipient's email setup. Secure email communication relies on the sender's and recipient's email servers each supporting Transport Layer Security (TLS). The connection won't be secure if the recipient's server doesn't use TLS, resulting in a potential HIPAA violation.

Google states, "If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure." While there is a setting to enforce TLS, the email will bounce back if the recipient isn't configured to receive encrypted emails. Google tracks their unencrypted emails here, generally ranging from 2% to 15% unencrypted.

Go deeperWhy Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance

 

What are common HIPAA violations that occur when sending emails?

Emails containing electronic PHI can be susceptible to several risks and violations if appropriate security measures are not in place. 

  1. Unauthorized disclosure: Sending ePHI to the wrong recipient, either due to human error or a misconfigured email system, can lead to unauthorized disclosure of sensitive patient information.
  2. Lack of encryption: Failing to encrypt emails containing PHI increases the risk of unauthorized access and interception.
  3. Insecure email systems: Using personal email accounts or email systems without adequate security measures, such as firewalls, access controls, and encryption, can compromise the privacy and security of PHI.
  4. Phishing attacks: Cybercriminals may use phishing emails to trick healthcare staff into revealing sensitive information or credentials, leading to unauthorized access and potential ePHI breaches.
  5. Insufficient access controls: Failing to implement appropriate access controls can result in unauthorized individuals accessing PHI, leading to data breaches or HIPAA violations.
  6. Noncompliant third-party services: Sharing PHI with third-party service providers without a business associate agreement (BAA) in place can expose healthcare organizations to noncompliance penalties and potential data breaches.
  7. Inadequate training: Staff who are not adequately trained on HIPAA requirements and secure email practices may inadvertently violate regulations or put PHI at risk.

 

Is patient consent required to communicate by email?

Under the HIPAA Privacy Rule, healthcare organizations can communicate with patients via email for treatment, payment, and healthcare operations purposes without obtaining specific consent. However, it is essential to ensure that appropriate security measures are in place to protect the patient's privacy and the confidentiality of their PHI.

While not required by HIPAA, it is a best practice for healthcare organizations to inform patients of the potential risks associated with email communication and obtain their consent before exchanging PHI via email. This can be done through a written consent form outlining the risks, benefits, and alternatives to email communication.

It is also important to note that some states may have more stringent privacy regulations that require patient consent for email communication, even if HIPAA does not mandate it.

 

Can medical records be sent via email?

Yes, a healthcare organization can send an email with medical records, provided that appropriate security measures are in place to protect the PHI contained within those records, and the email communication adheres to HIPAA's Privacy and Security Rules.

 

Key considerations

The main takeaway is that healthcare organizations can send patient names and other PHI, including medical records, via email, provided they adhere to the HIPAA Privacy and Security Rules and implement appropriate safeguards to protect patient privacy. 

Key considerations when sending PHI through email include encryption, access controls, authentication, training, and obtaining patient consent when necessary.

To maintain HIPAA compliance and minimize the risk of violations, healthcare organizations should:

  1. Use secure, encrypted email systems to transmit PHI.
  2. Implement robust access controls, authentication measures, and monitoring systems to protect PHI within email communications.
  3. Train staff on HIPAA requirements and best practices for secure email communication.
  4. Obtain patient consent for email communication when appropriate, and stay informed of any state-specific privacy regulations that may apply.

By following these guidelines and prioritizing patient privacy and security, healthcare organizations can effectively use email while remaining compliant with HIPAA regulations.