1 min read

Sharing patient information with employers using HIPAA compliant email

Picture of Kirsten Peremore Kirsten Peremore October 1, 2024

HIPAA compliant email Patient privacy
Neon glowing envelope and padlock icon on circuit board background

While HIPAA does not apply in the workplace, healthcare providers are required to follow specific requirements when sharing patient information with employers. These requirements, especially the need for patient authorization ensure that information remains safe when shared with third parties like employers. 

 

How HIPAA governs sharing PHI with employers

HIPAA, specifically the Privacy Rule, does not generally apply to information relating to patient employment. This is because employers are not covered entities. Healthcare providers treating patients outside the workplace are however subject to HIPAA. For this reason, there are specific guidelines that must be adhered to before the patients protected health information (PHI) can be shared. 

One of the primary requirements is mentioned in HHS guidance, specifically statingif your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.While employers can request information like doctor's notes or other health information, they cannot gain access without the patient's permission. 

 

How to share patient information with employers using HIPAA compliant email 

Choose a HIPAA compliant email provider:

  • Select a HIPAA compliant email service that offers features like encryption, and audit logs and is willing to sign a business associate agreement (BAA).  

Obtain patient authorization: 

  • Before sharing any PHI with an employer, obtain authorization from the patient related to what can be shared, the purpose, and the duration of consent.

Limit the information shared: 

  • Only share the minimum necessary information that the employer needs to know. 

Train staff: 

  • Regularly train staff members on HIPAA regulations and secure email practices so that they understand the need to protect PHI and proper procedures. 

Document the process: 

  • Keep a record of all communications involving PHI shared with employers. 

FAQs

Can mandatory drug testing results be shared with employers? 

Yes, this can be shared with employee authorization or by requirement of the law. 

 

Is employee health information collected by medical staff working for their employer considered PHI? 

No. 

 

What is encryption? 

The process of converting data into a secure code to prevent unauthorized access. 
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
laptop and smartphone

Best practices for patient communication using HIPAA compliant email

Picture of Tshedimoso Makhene Tshedimoso Makhene : February 15, 2025

Using HIPAA compliant email to communicate with patients requires adherence to best practices to ensure privacy, security, and compliance.

HIPAA compliant email Patient privacy
Read More
Doctor holding patient's hand during consultation

Disclosing a minor's PHI using HIPAA compliant email

Picture of Tshedimoso Makhene Tshedimoso Makhene : September 11, 2024

Disclosing a minor’s PHI via HIPAA compliant email requires careful consideration of who is authorized to receive the information, the security...

HIPAA compliant email Patient privacy
Read More
opt-in text on keyboard

Do you need opt-in consent to send emails?

Picture of Liyanda Tembani Liyanda Tembani : July 2, 2024

HIPAA doesn't require opt-in consent for all patient email communication. However, emails containing protected health information (PHI) require...

HIPAA compliant email
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.