Can you Email Patient Names Under HIPAA?

It is not a HIPAA breach to email patient names per se, although patient names and other protected health information (PHI) should not be listed in the subject lines of emails as the information could easily be seen by unauthorized people. The general rule is that PHI, including patient names, should not be shared or disclosed without the patient’s consent or in accordance with the HIPAA regulations. However, there are certain circumstances where patient names can be shared via email within a healthcare organization or with other covered entities, provided appropriate safeguards and security measures are in place. These measures include encryption of the email, secure network connections, and limited access to authorized individuals. Even when messages are secured with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and seen. A HIPAA compliant email service like Paubox should be used to ensure safe transmission of PHI.

Patient identities (first and last name or last name and initial) are one of the 18 identifiers classified as PHI in the HIPAA Privacy Rule.Patients names and other PHI should only be shared with individuals authorized to receive that data, so care must be taken to guarantee that the email is addressed correctly. Sending an email containing PHI to the wrong recipient would be an unauthorized disclosure and a breach of HIPAA. HIPAA does not outright ban the electronic transmission of PHI. Electronic communications, including email, are allowed, although HIPAA-covered bodies must apply reasonable security measures when transmitting ePHI to ensure the confidentiality and integrity of data.

Must all Emails Including PHI be Encrypted?

HIPAA does not demand the use of encryption. Encryption is only an addressable standard. However, if, after a risk assessment, the decision is taken not to implement encryption, an alternative and equivalent security measure must be used instead.

With internal emails, it would not be necessary for messages including ePHI to be encrypted provided the messages are only shared through an internal email system and do not leave the protection of a firewall. Access controls would also need to be present to prevent messages from being opened by individuals not authorized to receive the data.

If emails including PHI are sent outside the protection of an internal network there is huge potential for PHI to be seen by unauthorized people. This is not an issue when emailing patients, provided consent to use email to send PHI has been received from the patient beforehand. The patient must have been made aware of the dangers of sending PHI via unencrypted email and must have given authorization to use such a possibly insecure method of communication.

Emailing ePHI to all other people using unencrypted email is potentially a HIPAA breach. While HIPAA encryption requirements are somewhat unspecific, in the event of a HIPAA audit or data breach investigation, it would be hard to claim that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.

It is important to note that the specific policies and procedures regarding email communication of patient names may vary among healthcare organizations. Each organization should have policies in place that align with HIPAA requirements and ensure the confidentiality and security of patient information.

Summary of key points regarding emailing patient names under HIPAA.

• Patient names are considered PHI under HIPAA.
• In general, patient names should not be shared or disclosed without the patient’s consent or in accordance with HIPAA regulations.
• However, within a healthcare organization or between covered entities, patient names can be shared via email under certain circumstances.
• Secure safeguards and measures, such as encryption, secure network connections, and limited access, should be in place when sharing patient names via email.
• Specific policies and procedures regarding email communication of patient names may vary among healthcare organizations.
• Healthcare organizations should have policies that align with HIPAA requirements and ensure the confidentiality and security of patient information.
• It is important to consult with your organization’s HIPAA Privacy Officer or legal department to understand the specific guidelines and procedures for sharing patient names via email within your organization.