Estimated reading time: 11 minutes
How HIPAA compliant is your email? The rules are complex, and it’s easy to make errors without realizing it.
In this article, we cover 9 common email mistakes anyone could make. Mistakes that could lead to HIPAA violations or security breaches.
We’ll also take a closer look at the HIPAA rules and how they support secure email.
Email can be HIPAA compliant if you protect your clients’ privacy according to the HIPAA rules.
This includes implementing reasonable safeguards to protect client data when using email. For example, you should have written policies describing how to prevent an unauthorized person from accessing your email system and ensure you use a HIPAA-compliant email provider. We’ll explain these in more detail at the end of this article.
HIPAA also governs how client information is shared. You may only email protected health information (PHI) to clients themselves or others involved with their treatment, payment for services, or in the operation of your practice. In any other case, written client consent is required to share PHI.
|
PHI Information that relates to:
|
Now, let’s look at nine mistakes that could compromise client data and your HIPAA compliance.
Encryption is a technical process that hides the contents of an email from prying eyes. If you aren’t using it, you could risk the exposure of PHI or client records.
Although, according to the HIPAA rules, encryption isn’t considered strictly necessary. Security Rule guidance from the U.S. Department of Health and Human Services (HHS) states that if you use unencrypted email, other safeguards should be applied to reasonably protect privacy, such as limiting the amount of information you send.
In a nutshell, if it’s reasonable to use encryption, you should. If you don’t use it, carefully document your reasons and avoid sending email with PHI. However, in proposals to strengthen the cybersecurity of ePHI released on January 6, 2025, the HHS proposes that encryption of ePHI at rest and in transit be required, with limited exceptions.
Remember that PHI includes names, email addresses, and even evidence of a relationship between a client and your practice.
That said, using unencrypted email in a HIPAA-compliant way is currently possible. Inform your clients of the risks and ask their permission to share their information this way. Remember to document their consent with a form like the one below.
Do you already have encrypted email? Great! Double-check that it’s switched on before clicking the “Send” button.
Most people don’t verify email addresses in their personal lives as it can seem like an unnecessary step. But, if you’re handling e-PHI, it’s an important one, according to the guidance given by the HHS.
Verification is critical in these situations:
You’d be surprised how many errors are made by not looking closely at an email recipient. It’s easy to make a typo or mistake a John Smith for a Jon Smith when your email service automatically fills in a name for you.
However, these seemingly small slipups can cause big problems. In March 2024, for example, an employee at California Correctional Healthcare Services sent the data of over 1,000 people (including names, diagnoses, and lab results) to the wrong person. All breaches must be reported to the HHS, but since this breach involved more than 500 people, the healthcare provider was added to the HIPAA Wall of Shame.
To avoid errors like this, take the time to carefully select the correct address and double-check it before hitting “Send.”
Subject lines are the most visible part of an email. They can be seen from the inbox or even the lock screens of some devices. And they aren’t encrypted.
For these reasons, you should not write anything private in the subject line.
Examples of inappropriate subject lines include:
These subject lines give away too much information about the recipient. Remember that information related to providing healthcare to a person is PHI.
Instead of including a detailed description, it’s better to rely on more general phrasing, like “Important information.”
As a rule, group emails are a bad idea when protecting PHI, mostly because the use of CC/BCC has the potential for errors that cause unintentional HIPAA violations.
When you put email addresses in the CC field, they can be seen by everyone who receives the email. Since email addresses are considered PHI, if you use the CC field to email a group, you are disclosing PHI to everyone on your list.
Using the BCC field hides the email addresses, but since it’s so easy to mistake one field for another, it’s best to avoid group emails altogether.
In a healthcare practice, you often send similar emails to multiple recipients. To save time, it can be tempting to copy text from an old email and paste it into your draft. But when you do this, you risk sending PHI, like a name or address, to the wrong client.
To save yourself time and decrease the risk of a HIPAA violation, try using email templates instead. They allow you to repurpose generic text that must be used over and over, without running the risk of sharing the wrong personal information.
Although email is commonly used today, you should never assume that it’s okay to email a client. You never know if an email account may be shared or easily accessed by another person.
Ask clients about their communication preferences on your intake forms and have them sign off on a Notice of Privacy Practices that describes how you use and protect their PHI.
According to the HHS, you must also respect a client’s request for an alternative means of communication as long as it’s reasonable. For example, if a client wants to be contacted by phone only, you must accommodate this preference.
Since most people use email every day without issues, it’s easy to become complacent when it comes to email security. When you’re handling e-PHI, though, the bare minimum isn’t enough.
For example, most practices have password-protected email, but how many use strong passwords and update them regularly? Likely not as many.
Your clients’ data deserves strong protection. Go the extra mile by using passwords that aren’t obvious. And change them on a regular basis — every three months is ideal.
Here are some other best practices that sometimes get missed.
|
👉 Email security tips
|
Some blogs claim that adding a HIPAA disclaimer to the bottom of your emails makes you compliant. It’s just not true.
HIPAA disclaimers don’t support HIPAA compliance at all.
Some disclaimers can even backfire because they have strongly worded language that may prevent someone from contacting you if they received someone else’s PHI by mistake. For example:
“This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing, or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties.”
After reading this disclaimer, would you report an email you received by accident? Many wouldn’t.
This is a problem because if you don’t know you’ve made a mistake in the first place, you’re more likely to make it again.
To stay HIPAA compliant with email, follow the tips in this article and keep reading to ensure you understand the rules and how to apply them.
Still want to use a disclaimer? Try this instead:
|
👉 Example of a good disclaimer:
|
Now that we’ve explored some common email mistakes, let’s dive into what the HIPAA rules actually say about email.
The HIPAA rules are general and apply to many aspects of running a healthcare practice. So, they don’t spell out exactly how to handle email in a HIPAA-compliant way. This allows practice owners to adapt the rules to their unique businesses.
To apply the rules to email, start by reading through them carefully. The HHS guidance on the Privacy and Security rules for small providers may help. As you review the rules, consider how they relate to email in your practice. You can also download our HIPAA-compliant Email Checklist to help you along.
The HIPAA Privacy Rule explains how PHI must be protected and defines how it may be shared. It also ensures that individuals can access their healthcare records.
According to the Privacy Rule, covered entities (most healthcare providers) are required to protect PHI from unauthorized access or disclosure. These should include administrative, technical, and physical safeguards.
Here are a few questions to get you started when applying the Privacy Rule to email:
The HIPAA Security Rule outlines how to keep electronic protected health information (e-PHI) safe.
When you apply the Security Rule, you focus more on how PHI is stored, accessed, and transmitted electronically in your practice. Then, you take steps to defend the equipment, systems, and programs you use. The Security Rule states you must have administrative, physical, and technical safeguards to protect e-PHI.
A risk assessment is the best way to make sure you have all your bases covered. Here are a few questions to get you started:
Remember, applying these rules to any part of your practice takes time. You may need to take a course or consult with a legal expert to really master them. But ultimately, the time you spend is an investment in a secure and trustworthy healthcare practice.
Emailing client names is not a HIPAA violation as long as you comply with the HIPAA rules.
You can send client names to others involved in their treatment, payment for services, or the operation of your practice. For example, a medical biller may have access to client names because they help ensure you receive payment for your services. Make sure you have a signed Business Associate Agreement (BAA) in place with any third parties that handle your clients’ data except for:
If you are emailing client names for any other purpose, you must have your clients’ written consent.
If you’d like to use client names or data for research or marketing purposes, check the HHS website to make sure you’re following all the rules.
Yes, according to guidance from the HHS, if clients initiate email contact, their permission to correspond by email is implied.
But, it’s best to explain the risks to the client and ask for written consent anyway.
This depends on the type of Gmail account you have. For example, regular Gmail (Google’s free version of email for personal use) isn’t HIPAA compliant.
Gmail can be HIPAA compliant if you use Google Workspace and sign Google’s Business Associate Agreement (BAA).
However, there are some downsides to this:
HIPAA compliance with Outlook also depends on the type of service you use.
Outlook is only HIPAA compliant on its own when you subscribe to Microsoft 365 for Business, ensure you have signed a BAA, and turn on encryption for each email.
The Outlook email that you get with Microsoft Office is only compliant if you combine it with a HIPAA-compliant service like Hushmail.