We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information.
Is it a HIPAA Violation to Email Patient Names?
Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule.
HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.
It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and viewed.
Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.
Must all Emails Containing PHI be Encrypted?
HIPAA does not require the use of encryption. Encryption is only an addressable standard. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place.
In the case of internal emails, it would not be necessary for messages containing ePHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls would also need to be in place to prevent messages from being opened by individuals not authorized to receive the information.
If emails containing PHI are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must have been made aware of the risks of sending PHI via unencrypted email and must have given authorization to use such a potentially insecure method of communication.
Emailing ePHI to all other individuals using unencrypted email is a risky strategy. While HIPAA encryption requirements are somewhat vague, in the event of a HIPAA audit or data breach investigation, it would be hard to argue that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.
The post Is it a HIPAA Violation to Email Patient Names? appeared first on HIPAA Journal.