Patient idenities (first and last name or last name and initial) are one of the 18 identifiers classified as protected health information (PHI) in the HIPAA Privacy Rule.
HIPAA does not outright ban the electronic transmission of PHI. Electronic communications, including email, are allowed, although HIPAA-covered bodies must apply reasonable security measures when transmitting ePHI to ensure the confidentiality and integrity of data.
It is not a HIPAA breach to email patient names per se, although patient names and other PHI should not be listed in the subject lines of emails as the information could easily be seen by unauthorized people. Even when messages are secured with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and seen.
Patients names and other PHI should only be shared with individuals authorized to receive that data, so care must be taken to guarantee that the email is addressed correctly. Sending an email containing PHI to the wrong recipient would be an unauthorized disclosure and a breach of HIPAA.
Must all Emails Including PHI be Encrypted?
HIPAA does not demand the use of encryption. Encryption is only an addressable standard. However, if, after a risk assessment, the decision is taken not to implement encryption, an alternative and equivalent security measure must be used instead.
With internal emails, it would not be necessary for messages including ePHI to be encrypted provided the messages are only shared through an internal email system and do not leave the protection of a firewall. Access controls would also need to be present to prevent messages from being opened by individuals not authorized to receive the data.
If emails including PHI are sent outside the protection of an internal network there is huge potential for PHI to be seen by unauthorized people. This is not an issue when emailing patients, provided consent to use email to send PHI has been received from the patient beforehand. The patient must have been made aware of the dangers of sending PHI via unencrypted email and must have given authorization to use such a possibly insecure method of communication.
Emailing ePHI to all other people using unencrypted email is a dangerous strategy. While HIPAA encryption requirements are somewhat unspecific, in the event of a HIPAA audit or data breach investigation, it would be hard to claim that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.