HIPAA's Privacy Rule establishes guidelines for protecting Protected Health Information (PHI), which includes any individually identifiable health information held or transmitted by covered entities. When it comes to email communications, the challenge becomes distinguishing between intentional disclosures that require specific safeguards and authorization and incidental disclosures that may occur despite reasonable security measures. As the Department of Health and Human Services clarifies, "The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices".
The concept of incidental disclosure recognizes that certain exposures of PHI may occur despite reasonable safeguards being in place. According to HHS guidance, "An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented". CMS further clarifies, "Sometimes, you can't reasonably prevent limited disclosures, even when you're following HIPAA requirements). These disclosures are typically limited in scope, occur as a byproduct of otherwise permitted uses or disclosures, and meet specific criteria in the context of email communications.
An incidental disclosure might occur when email auto-complete suggests addresses as you type, briefly displaying other recipients' information. Similarly, when an email recall function notifies recipients that an email was recalled, this display of information is typically considered incidental if proper security measures are in place.
These technical features are inherent to modern email systems and serve legitimate purposes in facilitating communication. When they result in brief, unintended exposures of PHI, the focus shifts to whether reasonable safeguards were in place to minimize such occurrences. Organizations should implement policies that address these technical limitations while maintaining the functionality that makes email communication effective. According to the CMS, the HIPAA Privacy Rule does permit healthcare organizations to "Use email, phone, or fax machines to communicate with other health care professionals and with patients, as long as you use safeguards".
Read also: Is Virtru's email recall feature worth it?
When using standard email features like BCC or CC fields, some information may be temporarily visible during the email composition process. These brief exposures may be considered incidental if they occur within secure email environments and involve authorized users.
This aligns with the National Institute of Standards and Technology's (NIST's) perspective on secure email systems, which emphasizes the importance of "appropriate mail handling rules" and authorized users within a secure environment. When brief exposures occur within these controlled environments between authorized users, they may be considered incidental rather than breaches.
The distinction here is: the same technical exposure that might constitute a breach in an unsecured environment may be considered incidental when it occurs within a properly secured system among authorized users. This shows the importance of implementing email security measures and maintaining clear policies about authorized users and their access levels.
Read also: The risk of CC vs BCC in HIPAA compliant email
If an email is sent to an incorrect but authorized recipient within the organization and immediate steps are taken (like using the recall function, sending a follow-up "please delete" message, or contacting IT support), this could qualify as an incidental disclosure rather than a breach.
The speed and appropriateness of response are factors in determining whether such incidents qualify as incidental disclosures. Organizations should have clear protocols for addressing misdirected emails, including immediate notification procedures and documentation requirements. The goal is to minimize the potential for harm while demonstrating that reasonable efforts were made to mitigate the disclosure.
Read also: When PHI is sent to the wrong email address
When using business email systems that show previous recipients in email chains or display names in global address lists, these exposures may be considered incidental if they occur despite having reasonable email security measures in place.
According to NIST Special Publication, even when email is encrypted, “inference of information is still possible in certain circumstances…” Certain metadata and traffic patterns may be visible due to limitations in email systems, even with security measures in place. When these exposures are minimal and occur despite having appropriate safeguards, they may be considered incidental.
This acknowledgment of technical limitations is important for healthcare organizations. It recognizes that perfect information security may not be technically feasible, but that reasonable efforts to implement available safeguards can provide a defense against breach allegations when minimal exposures occur.
Learn more: How to handle accidental HIPAA email breaches?
HIPAA's Privacy Rule and the breach notification requirements established by the HITECH Act create a framework for evaluating when email disclosures constitute reportable breaches versus incidental exposures.
The Privacy Rule establishes the general principle that PHI should only be disclosed for purposes of treatment, payment, or healthcare operations, or with appropriate authorization. However, it also recognizes that incidental disclosures may occur as a byproduct of otherwise permitted activities. CMS clarifies that "these incidental disclosures aren't a HIPAA violation as long as you're following the required reasonable safeguards".
Under HITECH, covered entities must assess whether unauthorized disclosures pose more than a low probability of harm to individuals. CMS defines a breach as "an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI." This risk assessment must consider factors such as the nature of the PHI involved, the person who received it, whether it was actually viewed, and the extent to which risk has been mitigated.
Learn more: The basics of HITECH and how it works with HIPAA
Implementing email security measures is needed for maintaining HIPAA compliance while enabling efficient communication. Organizations should adopt a multi-layered approach that addresses both technical safeguards and administrative controls.
The HHS emphasizes that "Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as size." Smaller practices may implement different security measures than large hospital systems, but all must demonstrate efforts to protect PHI.
Technical safeguards should include end-to-end encryption, secure email gateways, and access controls that limit who can send and receive emails containing PHI. Additionally, organizations should implement audit logging capabilities that track email communications and provide the documentation necessary for compliance monitoring.
Administrative controls are equally important. These include policies governing the use of email for PHI communications, training programs that educate staff about proper email practices, and incident response procedures that address potential breaches. Regular risk assessments should evaluate the effectiveness of these controls and identify areas for improvement.
Organizations should also consider implementing technology solutions that provide additional layers of protection. These might include data loss prevention tools that scan outbound emails for PHI, email recall capabilities that allow users to retrieve misdirected messages, and secure messaging platforms that provide alternatives to traditional email for sensitive communications. HIPAA compliant email solutions like Paubox can help organizations maintain communication while ensuring encryption and security measures are automatically applied to protect PHI in transit.
Organizations should stay informed about emerging technologies that might enhance email security or create new compliance challenges.
Artificial intelligence and machine learning technologies are being used to identify and prevent unauthorized disclosures of PHI. These tools can analyze email content and metadata to identify potential security risks and automatically apply appropriate safeguards. However, they also raise questions about the privacy implications of automated content analysis.
According to Paubox's "Healthcare IT is dangerously overconfident about email security" report, "We've seen email threats evolve faster than many tools meant to stop them. It's not just about phishing anymore—it's about deception at scale." This evolution presents particular challenges for healthcare organizations, as "Cybercriminals are exploiting the biggest vulnerability within any organisation: humans. As progress in artificial intelligence (AI) and analytics continues to advance, hackers will find more inventive and effective ways to capitalise on human weakness in areas of (mis)trust, the desire for expediency, and convenient rewards."
Despite recognizing these threats, there's a gap between awareness and implementation. The Paubox report reveals that while 89% of healthcare IT leaders identified AI and machine learning as critical for detecting email threats, only 44% currently use AI-powered threat detection. The disparity leaves many organizations vulnerable to attacks that can bypass traditional security measures. The practical implications of this gap are significant. For instance, one organization's legacy system flagged over 200 marketing emails as threats but nearly missed a spoofed email impersonating the CFO, which could have resulted in a $70,000 loss.
Cloud-based email services present both opportunities and challenges for HIPAA compliance. While these services can provide enhanced security features and scalability, they also require careful evaluation of business associate agreements and data residency requirements. Organizations should ensure that cloud providers can meet their HIPAA compliance obligations before migrating email systems.
As email threats continue to evolve, organizations must balance the implementation of advanced security technologies with maintaining HIPAA compliance. This includes ensuring that any AI-powered security solutions used to protect PHI are themselves compliant with privacy regulations and that they don't inadvertently create new vulnerabilities or compliance issues.
A reasonable safeguard includes encryption, access controls, staff training, and secure email platforms that minimize unauthorized access to PHI.
No, once PHI is accessed by an unauthorized person, it typically no longer qualifies as incidental and may require breach notification.
Only if there is a valid Business Associate Agreement in place and the disclosure aligns with permitted uses under HIPAA.
If an email is sent to an incorrect but authorized user due to auto-complete, and safeguards were in place, it may be deemed incidental depending on context.
Organizations should maintain incident logs detailing the event, safeguards in place, response actions, and why the incident was deemed non-reportable.