Tips for Sending Protected

Health Information via Email

by Elizabeth E. Hogue, Esq.

The use of email pervades the healthcare world today.  Without thinking, many providers send information all day, every day via email messages.  Providers must take extra care, however, with the transmission of protected health information (PHI), as defined by the Health Insurance Portability Accountability Act (HIPAA).

First, providers should consider alternatives to the disclosure of PHI in email messages, such as:

• Telephone calls, instead of emails

• Establishment of an extranet with encryption and limited access rights

• Sending PHI on CDs, DVDs, or flash drives via overnight delivery service

It may also be unnecessary to refer to patients at all in email messages.  If updated orders are received from a physician, for example, a message could be sent alerting staff to receipt of orders from Dr. X for a male patient.

If it is necessary to refer to individual patients, providers should consider referring to patients by the initials of their first and last names, instead of using their full names. 

Providers may also wish to implement encryption or secure email messaging in order to protect PHI in emails.  If the recipient cannot support the use of encryption or secure messages, however, this option may not be viable.

If providers elect to use encryption, encryption programs must meet standards published by the National Institute of Standards and Technology (NIST).  When providers use programs that meet these standards, they may avoid an obligation to report breaches because they fall within a safe harbor or exception to the obligation to report breaches.

It is important to note that unencrypted emails may always be sent to patients who are the subject of the PHI that is sent.  Providers should tell patients that there is some risk of disclosure, but providers are not responsible for unauthorized access if patients still wish to receive information via unencrypted message.

Here are additional potential problem areas that providers may encounter when they are sending PHI via email and how to handle them: 

• Sending emails to multiple recipients that include PHI: providers should blind carbon copy (bcc) recipients, as opposed to listing them all in the "to" line

• Sending PHI to or from personal email accounts: providers should avoid both of these practices altogether

• Email addresses that "auto-fill": providers should carefully check addresses that auto-fill to make certain that they are correct

Finally, providers should develop a comprehensive policy and procedure that governs sending PHI via email.  Staff members should be thoroughly trained regarding compliance with this policy and procedure.

The stakes are high!  The Office of Civil Rights and State Attorneys General, the enforcers of privacy rights, are in enforcement mode!  Special care with regard to this area is definitely needed now. 

©2014 Elizabeth E. Hogue, Esq.  All rights reserved. (877) 871-4062 ElizabethHogue@ElizabethHogue.net

No portion of this material may be reproduced in any form without the advance written permission of the author.