HIPAA's Privacy Rule and Security Rule establish guidelines for how protected health information (PHI) must be handled in electronic communications. As Holland & Hart LLP explains in their JD Supra publication "E-mailing and Texting PHI: Beware HIPAA," "The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to protect patient information stored or transmitted electronically, including protected health information ("PHI") sent in unsecure texts or e-mails."
While HIPAA doesn't explicitly prohibit the use of standard email for transmitting PHI, it does require that appropriate safeguards be in place to protect patient information from unauthorized disclosure. According to the JD Supra publication, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so".
The article further states that, "The HIPAA Security Rule generally requires covered entities and business associates to '[i]mplement technical security measures to guard against unauthorized access to [e-PHI] that is being transmitted over an electronic communications network'". More specifically, "the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI."
HIPAA compliance involves conducting risk assessments. 45 CFR § 164.312(e)(1)–(2) mandates that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. This requirement relates to email practices, as organizations must evaluate and document their approach to protecting PHI in electronic communications.
The minimum necessary standard under HIPAA requires that healthcare organizations limit the use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose. This principle is important when considering email distribution lists and recipient visibility, as it directly impacts who has access to patient information and whether that access is appropriate.
Research by Haesevoets, De Cremer, and McGuire explains, "The Cc (Carbon copy) field indicates secondary recipients whose names are visible to one another and to the other recipients, whereas the Bcc (Blind carbon copy) field contains the names of tertiary recipients whose names are invisible to each other and to the other recipients. Bcc is thus like Cc, but covert".
When recipients are included in the CC field, their email addresses are visible to all other recipients of the message. The study notes that "The Cc function is completely transparent in terms of who the recipients of the email message are." This visibility creates a record of who received the communication, but it also means that every recipient can see the email addresses and, by extension, potentially identify other patients or healthcare providers involved in the communication.
In contrast, BCC recipients remain hidden from other recipients. Each person receiving the email can only see their own email address in the recipient list, maintaining confidentiality about who else may have received the same information. For healthcare communications involving multiple patients or providers, this distinction can mean the difference between HIPAA compliance and a violation.
Beyond the technical functionality, the choice between CC and BCC carries interpersonal implications. Research has found that "people consider the Bcc feature unethical, because the receiver of the e-mail does not know who else received the correspondence." Furthermore, "In some circumstances, the main recipients may feel insulted that you have secretly copied someone else. They may view your use of Bcc as passive-aggressive or even dishonest." The study also notes that the "use of the Bcc field sabotages the openness and honesty that is assumed when using internet e-mail" and that "people always prefer others to be open and candid with them, and this kind of underhanded behavior is bound to erode trust."
Consider a scenario where a healthcare provider needs to send test results to multiple specialists consulting on a patient's case. Using CC would reveal to each specialist the identities of all other consulting physicians, potentially disclosing information about the patient's condition that goes beyond what each individual specialist needs to know. Using BCC maintains the confidentiality of the consultation network while ensuring all necessary parties receive the information.
The healthcare industry has witnessed numerous high-profile cases where improper email practices have led to HIPAA violations. Research from the Evaluation of Causes of Protected Health Information Breaches study, which analyzed 1,138 breach cases affecting 164 million patients from 2009 to 2017, reveals that email-related mistakes are a documented and persistent problem. The study found that "Employee disclosing PHI through email mistakes (eg, wrong recipients, cc instead of bcc, unencrypted content)" accounted for 32 cases, representing 2.8% of all major breaches analyzed.
Furthermore, the research showed that "Among the 232 breaches (20.4%) that occurred during PHI communication, 152 (65.5%) were mailing mistakes and 80 (34.5%) were emailing mistakes." This data shows that communication errors, including the misuse of CC versus BCC, represent a big category of HIPAA violations.
This issue is further highlighted by the Paubox report, which identifies that "Email is the single largest vector for cyberattacks in the healthcare sector." Despite this vulnerability, the report reveals a disconnect in organizational priorities: most healthcare organizations "allocate less than 6% of their IT budgets to cybersecurity," a contrast to financial services, where "cybersecurity budgets often exceed 10–12% of total IT spend," and general industry, where "cybersecurity takes up 21% of IT budgets on average."
An example of how CC versus BCC mistakes can lead to HIPAA violations occurred with Springfield Psychological in June 2020. The organization sent a routine marketing email to past, current, and prospective patients to advise them of available services. However, the email was sent in a way that allowed all recipient email addresses to be visible to all recipients—a case of using CC when BCC should have been used.
While the breach was limited in scope, containing only email addresses without treatment, diagnosis, or financial information, it still constituted a HIPAA violation. The incident demonstrates how even seemingly minor mistakes can have consequences. Springfield Psychological was required to conduct an internal investigation, communicate with the U.S. Department of Health and Human Services Office of Civil Rights (OCR), and ultimately notify all affected individuals in accordance with HIPAA requirements—a process that took nearly a year to complete.
This case shows several points about email security in healthcare:
According to research cited by Briana Contreras in Managed Healthcare Executive, IBM has reported that the average cost of a healthcare data breach now reaches $9.8 million—a figure confirmed by the Paubox report. Beyond the immediate financial penalties, healthcare organizations face long-term reputational damage, loss of patient trust, increased regulatory scrutiny, and potential civil litigation from affected patients.
One of the findings from the Evaluation of Causes of Protected Health Information Breaches study is that "603 PHI breaches (53.0%) were internal, attributable to the health care entities' own mistakes or neglect." This statistic reveals that more than half of all major PHI breaches stem not from external cyberattacks or malicious outsiders, but from internal errors and oversights by healthcare staff themselves.
This finding is relevant to email security, as CC versus BCC mistakes fall squarely into the category of internal errors. When healthcare workers select the wrong email field or fail to follow proper protocols, they create vulnerabilities that can be just as damaging as external threats. As Tony Cox, CIO at Henderson Behavioral Health, observes in the Paubox report: "I see the gap in time between new vulnerabilities emerging and budgets catching up to them. That delay? That's where the attackers live."
Healthcare organizations should develop email policies that explicitly address when and how to use CC versus BCC fields, particularly when PHI is involved. These policies should be integrated into regular staff training programs and reinforced through periodic refresher sessions.
The Evaluation of Causes of Protected Health Information Breaches study found that healthcare entities have learned from their mistakes. The research noted that "Before emailing PHI, entities adopted mandatory verification of the recipient, the copy protocol (bcc vs cc), and the encryption of content" as common corrective actions following breaches.
However, the Paubox report challenges the traditional reliance on training alone, noting that while organizations assume "Our staff are well-trained, so we're secure," the reality is that "Human error is inevitable. You need tools that compensate, not just train." This insight suggests that effective email security requires a combination of clear policies, ongoing training, and technological safeguards that reduce the likelihood of human error.
The default approach for healthcare communications should be to use BCC whenever multiple recipients are involved, unless there is a specific business need for recipients to see each other's contact information. Even in cases where recipient visibility might be appropriate, organizations should evaluate whether such visibility is necessary under HIPAA's minimum necessary standard.
Staff should be trained to pause and review recipient lists before sending any email containing PHI. This practice should include verifying that all recipients are authorized to receive the information, confirming that the appropriate field type (CC or BCC) has been selected, and ensuring that the content of the message complies with organizational policies regarding PHI disclosure.
Regular auditing of email practices can help identify potential issues before they become violations. This might include reviewing sent email logs for patterns that suggest improper use of CC fields, monitoring for unusually large distribution lists, or conducting spot checks of email communications to ensure compliance with established protocols.
Read also: HIPAA compliant email
No, HIPAA does not explicitly reference CC or BCC but requires safeguards to prevent unauthorized disclosure of PHI.
Using CC exposes all recipient email addresses, potentially disclosing PHI to unauthorized individuals.
Yes, when linked to a healthcare context, email addresses can qualify as PHI and must be protected.
Yes, it can result in HIPAA violations, regulatory investigations, and patient notifications, even if no medical details are shared.
They can implement policies, staff training, and technological safeguards like secure email platforms or automatic BCC settings.