Consultants to the Healthcare Industry
Call Us: (909) 931-7600

HIPAA and Email: there are rules

Jim Hook, MPH

HIPAA and EmailPart one of a two part series on HIPAA and email.

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

 

HIPAA Privacy and Security rules are concerned with email, and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then  it bears repeating that the Internet, and things like email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

 

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

 

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.

 

HIPAA and email continued …

So how should healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

 

200 Comments to “HIPAA and Email: there are rules”

  1. So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be first initial, last name. “B. Howard”. Is there a rule here?

    Thanks – great article!

    Ryan

    • Ryan, the rules are the same old rules, whether email communications are directly between providers and patients or between providers and a vendor like an answering service: don’t put PHI into an unsecured email. An email to a provider of any kind with a patient’s name and the fact that they have an appointment could be considered a breach, even if the likelihood of the email being intercepted by someone who shouldn’t have it and the patient being identified, is vanishingly small. Using an abbreviated name of any kind has it’s own problems. What if you have more than one patient with the same first initial and last name? And adding another identifier like a birth date only makes it worse.

      There are several possible solutions as we outlined in the blog, like getting a patient’s consent to allow emails about appointments or using a HIPAA compliant email system. The answering service could simply draft emails but not send them, and instead, fax over copies of the unsent emails in the morning. Of course they would have to delete the drafts religiously so nothing is sent inadvertently. They could also just keep a typed list that they fax over.

      If there was ever a complaint alleging a breach of privacy, both the answering service and your organization could be in trouble: the answering service for committing the breach, and your organization for not enforcing the provisions of the Business Associate Agreement you should have in place with them.

      There has not been a major breach case involving email as yet, but there is almost certain to be one once a patient complains to the Office of Civil Rights that privacy was breached because emails with PHI were made public. Don’t be the test case for that occurrence!

      • I have another question regarding this. Can a patient name or employee name be used in the subject line of interoffice emails?

        • Employee names are not covered by HIPAA, unless the employee is also a patient and the email contains PHI about him or her. If your interoffice email is secure, like from one gmail account to another within the organization, you could put the patient’s name in the subject line, along with PHI about the patient. If it goes through a public email service, where it is transmitted via servers outside the organization, you should avoid putting patient information including names in such emails. The exception is gmail, which is supposed to be encrypted from one gmail account to another.

          • I would note the following:

            I would recommend Last Name only, with no other PII/PHI provided in the Subject line. While there are multiple same last names, the person receiving the email would need to read the email, regardless, since the Subject line is only a tip-off.

            When using email, regardless of provider, the subject line is viewable. I do not know what GOOGLE does/says about this, but it is normally the email body that is encrypted.

            As it relates to the use of encrypted email, Federal email encryption must meed NIST FIPS encryption standards. I do not believe GOOGLE meets this requirement for the Federal government.

  2. do you have any suggestions of some HIPAA compliant email services?

    • Naomi, we don’t recommend specific products. If you do a search for HIPAA Compliant Email, you will see products by several vendors. I recommend reviewing two or three to find one that meets your needs.

  3. I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
    It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?

    • Marie, the rules on disclosure of PHI (personal health information) that apply to Covered Entities, like a therapist, are pretty clear: PHI cannot be disclosed to outside parties without the consent of the patient, or a person authorized to give consent for the patient. There are several exceptions, of course, like disclosures for healthcare operations such as billing and making referrals to other providers. From your description, it is not clear if your emails become part of the patient’s medical records, which would make them PHI. Any Covered Entity using email to communicate with patients should get written consent for using email, and, if possible, use an email application that is encrypted.

      Your situation also points up one of the disadvantages of using email to conduct discussions about private health information. It is very convenient, but you can never be sure it will not be compromised, just because of the nature of the internet, or because of the ease of sharing, whether authorized or not. In the end, it sounds like you need to discuss the issue with the therapist.

  4. Can a pediatric practice email or fax vaccine records to parent of patient without written consent?

    • Laura, faxing is considered a secure method of sending records containing PHI (which would include vaccine records), but you should have the parent’s approval to fax them. You can record a note in the medical record that the parent requested the records be faxed, and that’s what you did, or you can ask the parents to complete a regular release of records form that includes faxing as the method of delivery.

      Sending these records by email (by which we mean regular, unsecured email) is more problematic. If you do not have a secure email application to use to send them, then you definitely should have consent in writing to use email to send the information. As part of that consent, you should warn the parents that email is not considered a secure method of transmission, and the records are subject to being found and accessed by someone else. The idea is to make it an informed consent.

  5. I just received an email from my ob/gyn about a health fair they are having. I can see the names of all recipients of the email. Is this a violation?

  6. I recently received email correspondence from a government body with a different person’s name and address. Is this still considered a violation of hippa?

    • You don’t specify if the content of the email contained personal health information about another person. If it does, it could be a HIPAA violation. If it does not contain PHI, it would not be covered by HIPAA.

  7. Is it PHI under HIPAA if a patient’s name is included in an email regarding a) a check that was received by a practice or b) a bounced check paid to the practice by a patient?

    • Barbara, this is something of a grey area. You don’t specify the exact email exchange, but if you sent an email to a patient regarding a bounced check, with no information about the services received, dates, etc., then it may not be considered a breach of privacy. To be safe (or at least safer), it is always best to obtain the patient’s consent before there is any correspondence via unsecured email. Or, make use of a HIPAA-compliant email application, of which there are several to choose from.

      If your patient complained to the Office of Civil Rights that his/her privacy was violated because of the use of email to correspond, even about payment, you are at the mercy of the OCR attorney assigned to investigate the complaint. They are going to assume a covered entity like a medical practice knew the rules and the guidance they have issued, even if patients didn’t object at the time.

  8. My employer plans to replace a patient portal product in the future. The patient portal allows the patient to send secure messages to their care provider as well as view lab results, renew prescriptions and schedule appointments. With the current patient portal, the patient’s email address is collected and stored as demographic data.

    When it comes time to bring the new patient portal on line, methods to inform current patient portal users are in discussion. One of the options suggested is to send a “blast email” to the patients who are actively using the current patient portal. Notifying by email those patients who gave their email address seems like a quick and efficient method to get the word out that the patient portal vendor is changing.

    The patient’s name would not be included in the email, but the patient’s email will be used. No other patients will see another patient’s email address and no other PHI except for the patient’s email address will be used.
    Under HIPAA guidelines, would this approach be acceptable?

    • The answer depends on the terms and conditions that apply to patients who sign up to use the portal. Are there specific provisions that advise patients their email address is collected and may be used to contact them in the future? If not, when the Office of Civil Rights comes to investigate a complaint from someone, they may decide you did not employ reasonable safeguards when using email to communicate.

      The general advice from the FAQs page of the OCR regarding use of email (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html) advises providers to employ reasonable safeguards when using email for communications, and even sending a test email prior to sending an email with actual information to confirm you have the right email address. One of the issues that comes up with test emails or with the blast email notification regarding the portal, is that you have no idea who may be reading the email at the patient end, including family members who are sharing the email address and who didn’t know the patient was going to the provider! We always recommend documenting consent from the patient on the use of email during a visit, so there is no question about it’s use.

      What about posting the change on the current portal and even redirecting patients to the new portal location when they attempt to login after the change. That way patients get notified and redirected at exactly the time they are seeking to connect. And it leaves aside any questions about the use of email for this purpose.

  9. My employer is requiring me to Email my Healthy-You results to some third-party person. Joanna (somebody ) at some Email.com. I have no idea who this person is, and under duress of being charged $900 to pickup additional insurance costs, I am having to consider doing this. Not only do I have to submit this information my children covered under the plan also have to submit it. I have no idea what they are going to do with the information. This information will contain my name, and test results. I also have to access their website and fill out a questionaire about my ‘lifestyle’.
    Is this legal?

    • Charles, your question raises several other questions. First, we at The Fox Group do not consider ourselves arbiters of legal or illegal practices. That said, we would advise anyone who is asking for information containing PHI (which your test results probably are) to make sure they have a way for people to send them this information via a secure email system, or input it into a website with a secure portal. It is not a violation of the HIPAA Privacy Rules for an individual to use an unencrypted or non-secure method to send their personal information electronically. Interception of emails and attachment by third parties may be extremely unlikely, but it is not impossible. You may want to talk to your employer about your discomfort with sending material over an unsecured email channel, but your employer (assuming he or she is not a healthcare provider) is not covered by HIPAA regulations.

      As far as entering information in a website, if the url is “https”, then it is a secure channel and there is no HIPAA privacy or security issue.

  10. I am finding that, even after attending a HIPAA webinar, the e-mail rules are not the clearest. My specific question is, would it be okay to send e-mails using Microsoft Outlook/Outlook Web App, within our organization, including the first initial, last name, and DOS? For example, “Can you please fax the report from J. Doe’s 01/01/0001 visit to the insurance?” If not, what amount of information would be acceptable to send from one individual to another, within our organization, only?

    Thanks!

    • The thing about sending emails within your organization is that, unless they are going out within a closed network, they may still be traveling over the internet and be subject to interception. An email from an organization with an address that allows the unintended recipient to determine it is from a medical provider (and in your case, a specific type of provider), the name of the patient and the date of service, discloses that the patient had a medical service at that organization on a specific date. This may be minimal exposure of PHI, but it may be enough for the investigative authorities to decide it is a breach. Options you could use would include using the account number instead of a name, or even using encryption/decryption software to encrypt a document with the information you are trying to transmit. There are free programs available that could be used, and you can standardize the password so you do not have to worry about that aspect. The former is very simple; the latter more complicated but lends itself to more information being trasmitted.

  11. We are testing our care portal. So to remind patients to access their portal for an upcoming appointment can we send an email from Microsoft office 365 (hipaa compliant) to the patient with a notice to check our care portal for “a secure announcement”. Also put the disclaimer and warning at the bottom that the should share only minimal ephi and are encouraged to use the portal to send secure messages back to our office rather than replying to our careportal email back. what do you think

    • An email message to a patient encouraging them to visit your patient portal is probably innocuous enough to go out as a non-encrypted email. We strongly recommend you have documentation of consent to send any email to patients before sending even an email like the one you describe. You just never know who is reading the email at the other end, and sometimes even family members are visiting healthcare providers without telling each other. We would also recommend your disclaimer reminds patients that email is not a secure method of communicating with you, and that they should not include any personal health information in an email. Only communications sent through the portal are secure. There is some suggested language in the second part of the series on this topic at http://www.foxgrp.com/blog/hipaa-compliant-email/.

      I am not sure why you describe Microsoft Office 365 as “HIPAA Compliant”. You may have secure channel to your applications in the cloud, but that does not mean if you send an email from a cloud application that it is arriving at the destination via a secure channel.

  12. Is it a violation if you email a co-worker a patient refund request? It would include patient name and address and the dollar amount?

    • Kathy, you don’t specify if the email you are using is an intra-network (contained in the business), or if it uses any external connectivity, servers, etc. It can be problematic to put too much information in an email that uses external connectivity, even when the information you are sending is limited. A name, address and a link to a specific practice, especially if it identifies the type of specialty, could be a violation if it were ever intercepted. You might consider using a patient’s account number to identify the patient, if that permits the person at the other end to identify the patient properly for the purpose of a refund.

      • Thank you,it is external connectivity. If you email a patient name and or with an address but no clinic to identified the specialty, is that too considered a violation?
        On a different subject, what if a billing resource gave credential information via email? for example: a clients provider number, NPI, SSN and provider website access? Would that be a HIPAA violation?

  13. We are in the process of updating our policy regarding mailing medical records to authorized parties, i.e., insurance, auditors, etc. I’m having difficulty finding information on emailing an entire record (encrypted). Am not necessarily seeing anything prohibiting the use of encrypted email to send patient records. But I’m not really seeing anything addressing the complete record either. Thank you very much

    • Elizabeth, there is no distinction between the rules for emailing PHI that represents a minimum amount of information vs. an entire patient medical record. If the text of the email has enough information to identify the patient and where he or she was treated. the email should be encrypted. If there is an attachment with PHI, we would recommend encrypting the attachment separately so in case the email wound up in an unprotected state, the attachment still could not be viewed without a separate password.

  14. In my pediatric practice we use a secure patient portal and we just started using constant contact to send newsletter type regular emails to our patients that contain no PHI. My Partner just received a “Happy Birthday” email from his car dealership on his Birthday. He would like to send “Happy Birthday” emails via Constant Contact to all our patients as their birthdays come up as a nice gesture and a subtle reminder to make an appointment for their yearly visit if they have not made one already. If these insecure emails go out with a first name and no other information (except an implied DOB from the date the email was sent) is it a HIPAA violation? The ePHI is first name, likely last name in the email and DOB. Also assume we have not asked for permission from the family to send this email. In summary, if the email gets into the wrong hands, is knowing someone’s DOB, name, and the fact that they are patients of our practice enough to make it a violation?

    • Andy, the short answer is yes, you may be found to be violating a patient’s privacy by sending an email, even one with minimal information, if you are sending emails to patients without the consent of a parent or someone who can give consent. In some states, even an email address is considered personal identifying information that should not be used without consent. Would the emails go to the patient’s email account? Is the patient a minor? Given the sensitivity of electronic communications with children, it is even more important to have documented consent.

      The HIPAA Omnibus Final Rule of 2013 also contained some important clarifications and extensions on the use of PHI for marketing purposes. See our blog on the topic at http://www.foxgrp.com/blog/sale-of-phi/. While a healthcare provider sending its patients a reminder about a recommended service may be permitted without specific patient consent to use PHI for marketing, a third party Business Associate sending such a reminder (presumably being compensated for the service) definitely seems to fit into a category where patient consent to use PHI for marketing purposes is required. If reminder messages are part of the activities you plan on using a service like Constant Contact for, getting consent from parents to send such notices or other marketing materials should also obtained.

      Electronic communications can definitely improve patient satisfaction and communication of important issues, but must be done with utmost caution, especially when minor children are involved.

  15. I just requested a billing company send me a fill statement of services, not kist the total bill. I asked that it be emailed. She refused citing HIPAA. I said I would send am email authorizing this email and releasing them. I was told this is not allowed under HIPAA. This seems foolish. My bill, my services, my consent. What’s the problem? True or another “we can’t do anything because of HIPAA” excuse?

    Thanks!

    • A written authorization from you allowing the billing company to send you a full statement of services, that may contain PHI, via email, should be enough for the company to send you the information you have requested. You might try contacting the healthcare organization that the billing company is working for to see if they can help convince the billing company to send you the information, or have the billing company send them the statement and they can forward it to you.

  16. Thank you very much for offering your opinion. I appreciate it!

  17. If a person accidentally emails a spreadsheet to a non-corporate mailing list containing information of a community clinic program (like a Yoga class) associated to a hospital department with names, addresses, phone numbers, age, a diagnosis (not codes – just words – spinal, cva right side), and payment status (no other financial info)? The names could be former patients or community members involved in the program. Their is no identifier stating they were or were not a patient of the hospital, just that they did or did not pay for participation in the clinic program. We consider them clients of the program, but are not patients in the hospital when they opt to participate in the program/class.

    • It sounds like you have a breach on your hands. As soon as you have diagnosis information, whether verbal description or ICD9 codes, plus other identifiers, like names, etc., you have PHI, and per your email, it has been potentially disclosed to persons who do not need it and should not have it. You should contact your organization’s Compliance Officer and let them know what has happened. Also, you should figure out who all received the spreadsheet and prepare to ask them to return it or delete it ASAP. Good luck!

  18. Hi. I am trying to firm up our email policy for the interim period before we are able to invest in an encrypted email system that will be internal to a new portal system for our organization. We need to be able to email a prescription medication name and some type of identifier for the patient in order to clarify a prescription order for that patient. We only communicate by email with providers – not patients.

    In your response to Crystal D in #10 above, you suggest using an account number instead of a patient name to communicate with patients in an unencrypted email setup. I would like for our policy (again, in the interim) to say that our organization will not use patient names OR initials together with information about their medications, but will only use the 16 digit random number generated and assigned by our portal. Using this number that could only connect to PHI by hacking or legitimately accessing our online portal would seem to eliminate the ability to associate PHI in a hacked email system with actual patient initials, which could theoretically be guessed.

    Given that, I am still confused as to how it would be okay to email a medical record number through an unencrypted system, if “Medical Record Numbers” is one of the identifiers listed in HIPAA for identifying PHI. Is that correct? While this may still be PHI, in my mind for the interim period, this is preferable to initials, as there is less chance that the email AND the HIPAA-compliant portal system could be compromised for a true breach.

    Any thoughts would be appreciated. Thanks!

    • As you noted, in my reply to Crystal D., I mentioned using account numbers. The context was Crystal asking about emails being sent to other persons in her organization, who presumably have access to the account number in the email, and can then respond to the request intelligently. The communication was not with patients, at least as she described it.

      You are describing a situation where you want to communicate with other providers about clarifying prescriptions. I assume the other provider would be a pharmacy. You also mention you have or are about to have a portal for the organization.

      Most portal systems operate using https, or secure channels, when information goes over the internet via a portal. That usually addresses the issue of security of the info. Use of any number, even one generated by the portal application, has to be accessible to both parties for messages to be understood and acted upon properly.

      The best I can recommend is, if communication via email (plain vanilla email, going out via your computer or server) is required in the interim prior to the availability of a secure portal, you could add an identifier to the original prescription form, that could be referenced by the pharmacy when you have to send these clarifications. The identifier could certainly be a random number generated by your portal, as long as the pharmacy can relate the number to the patient in question. Of course, faxing a clarification is also a secure way to communicate with a pharmacy.

      I hope this helps!

  19. what is the info is a pdf with just a first name and room number and details about status of patient?

    • Gloria, you do not specify who is sending and receiving this information. A form being emailed with the information you describe, but where it is possible to infer the location (a hospital?) and then locate the hospital and identify the person, is a situation waiting for exploitation. It would be better to use a number of some kind that is difficult to readily associate with a patient, rather a first name and room number. You have to think: how easy would it be for me to identify a person if I knew what hospital they are in, the first name and the room number? Not very hard, I think.

  20. Hello, My wife is participating in a clinical study. The lead investigator sent an email communication to the study participants and my wife’s and the other e-mail addresses are all visible to the other recipients and other investigators and physicians. At least my wife’s, and it appears that many of the other e-mail addresses contain first initial and last name information. Your thoughts would be appreciated. Thank you.

    Here is the text of the e-mail with my redactions:

    “Dear participants:

    I am writing to stress your obligation to be at XXXXXX Care Center on the scheduled time and date (something you had agreed to do when signing the Consent Form). Cancelling at the last minute is a waste of time for the clinicians that were there and a waste of taxpayers’ money who fund this research. It is unacceptable behavior where there is no serious medical reason, and I have the authority to remove from study anyone who does not respect their appointment. I hope I do not have to do that.

    To help you, we have simplified the scheduling communication for coming weeks. XXXXXX XXXX Medicine Center has agreed that from now on scheduling for the virtual reality system will be done by our staff at XXXXXX, where therapy takes place. You will receive a call from Mr. XXXXXX XXXXX who is the computer engineer working with the experimental equipment in your room at XXXXX. His cell number is XXXXXXX. His email is XXXXX@gmail.com. Please email or text him your name and cell number as well.”

    • Ken, this type of communication is certainly borderline, for two reasons: Email addresses in some states are considered confidential information, so sending an email in such a way that all other email addresses are also disclosed, and coupled with name of the facility where the clinical trial services are offered, certainly is questionable from a privacy standpoint. Its borderline because apparently the clinical condition being studied is not mentioned directly.

      The organization administering the Clinical Trial could certainly ameliorate this concern by having all participants consent to receiving information, even protected health information, via email or text. And anyone sending mass emails can do it in such a way so as to avoid disclosing the email addresses of all the other participants.

      Let us hope the clinical study produces results for your wife and others that far exceed the borderline privacy concerns participants may have, and come about in spite of the level of customer service skill the lead investigator displayed in his message. Good luck.

  21. I am not sure if you can answer this, but my question is, now there are smartphones, I had a patient send in a picture of their Rx for medical equipment. Do you think this is acceptable ?

    At first, I thought absolutely not, but then I thought how Rx are faxed every day, is there a difference ?

    What are your thoughts or do you know where I can get an answer?
    Thank you.
    Pam

    • Texting is no more secure than regular (unecrypted) email. Faxing, up until recently, was considered secure because faxes were sent from point to point over telephone lines, not through the internet. With the advent of VOIP, including for use in faxing, even that may have to be reconsidered since it is a form of internet transmission. In any case, unless the sender is using an encryption application to send text messages, of which there are several now, you should avoid encouraging patients to text (or email) PHI to you.

  22. An email sent through the encrypted email network of the hospital from one student to another containing patient last name and room number?

    • Assuming the premise of a secure email network is correct, sending PHI through such a network should be in compliance with HIPAA.

  23. We use gmail for our inter-office communication. We have a password protected firewall associated with our office computer system. Can we supply patient first name, last name and DOS if we are trying to convey a message between each other. Some of our therapists do not have access to our system with the account numbers of our patients.

    • Although Google claims that emails sent within it’s server network go via TSL security protocol, which means they are encrypted, that is only true if the emails stay within the Google domain. Therapists who send you emails with PHI that are not routed exclusively in the Google domain would not be protecting PHI as required under HIPAA. Google also offers an encryption solution that may help (Postini) and is compiling statistics on how many people are using encryption when sending emails. https://www.google.com/transparencyreport/saferemail/

  24. Please advise the HIPAA compliance requirements regarding emailing patient x-rays via a non-encrypted email service…to either another dentist or the patient in question.

    • Since unencrypted email goes across the internet via a variety of servers, PHI sent this way may be subject to unauthorized disclosure, and such transmissions should be avoided. Having said that, if you ask a patient for permission to communicate with him or her via email, and they agree, then you can send PHI via unencrypted email. You can also ask for permission to share dental records, including x-rays, via email with other dentists or other medical care providers. Any such authorization should be requested in writing (or by means of a form you give the patient to fill out), and any restrictions specified by the patient on the use of email to send PHI must be observed.

  25. I am newly married. I work for a group of kidney specialists. I requested to have my email name updated with my new name and was told HIPPA requires it remain the same for tracking purposes. Can you tell me were I can find information on this.

    • There is no requirement in HIPAA that requires tracking an email address, let alone not adjusting for updates to email addresses, name changes due to marriage, etc., etc. HIPAA only addresses maintaining the privacy of Private Health Information collected by covered entities, e.g., medical practices, on their patients. If you are also a patient of the practice, then HIPAA applies to your medical record and identity information created and maintained by the practice. HIPAA does not apply to general employment records of employees, except to the extent that information might involve PHI. For instance, your employer may have access to some of your PHI when it receives information about utilization of services by persons covered by its employee health plan. But again, there are no requirements about not changing an email address for those purposes.

  26. I have a medical office and my email was hacked by an ex-spouse. I have communication with patients on that email as well as with my attorney.
    The ex-spouse claims that they were given the password to use. That is absurd and I never gave it to them especially since this is a different email address that I started three months after our divorce.

    I have contacted state police who got information from Microsoft and the ex’s place of employment servers tracking her IP address to the email account and they have contacted the prosecutor but he is wavering from prosecuting the ex because she says that she was given permission to be on the account.

    Do I need to tell the prosecutor anything else or do I need to alert someone else about the violation if the prosecutor doesn’t pursue it?

    • First of all, I am sorry for the situation you find yourself in.

      Depending on the content of the emails that were available for access, a prosecutor may want to know about the civil and criminal penalties for unauthorized disclosure of Protected Health Information. People have been prosecuted and even jailed for unauthorized disclosure, usually involving hospital staff who snooped in a celebrity’s medical record, and then sold information to a tabloid. I don’t know how you could tell if any of the PHI in any of these emails was disclosed outside of your wife seeing it, unless patients started calling you or you noticed dissemination of information that can be traced back to your emails.

      That said, and depending on how much and what type of PHI is in the emails, you should treat this as a breach – an unauthorized disclosure of PHI. We advise covered entities to obtain a patient’s consent to share information via email, but that only gives you some protection against the type of unauthorized disclosure that could result from someone intercepting and reading an email as it makes its way across various servers to get to its destination. In this case, there is a known incidence of a specific person with access to emails containing PHI. It does not matter how this access came about, of if anyone is prosecuted on not. Under any circumstances of potential breach, you have an obligation to evaluate the potential breach and notify patients and/or the authorities, or even the media, if there is a risk of harm to the patients affected.

      You can read more about the risk of harm concept at our blog at http://www.foxgrp.com/blog/hipaa-breach-definition-updated/. You can also get more detailed information at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/.

      Good luck with your situation. It is an unfortunate object lesson on many levels.

  27. I work in a counseling office. I get clients who quite regularly request me to email them with dates and times available for an appointment with a particular counselor or want they to know when their appt. with “xxxxx” is. They also request I confirm their appt. by email rather than by phone confirmation. I always throw the HIPAA regs. at them stating we cannot discuss PHI via emails. Are we legally able to adopt a policy for our business such as this? A Policy that states: Our office does not handle appointment confirmations, scheduling or canceling via email due to HIPAA regulations and our obligation to protect your PHI.

    • There is nothing in the HIPAA regulations that prevents you from adopting a policy that says you do not handle communications via email, but HIPAA regulations also don’t forbid you from utilizing that method of communication. The standard is to protect the privacy of your patients’ protected health information. It does not forbid any particular method of communication, and does not prescribe any particular method. Many practices have access to patient portals that offer a secure method of communication, therefore allowing exchange of PHI.

      We always recommend offering patients several options on how to contact them (phone, text, email, etc.). Email can be one of the methods, and you can specify the types of things you will put in email, and get the patient’s consent. That is one of the issues mentioned on the Office of Civil Rights FAQs about HIPAA. Since many patients may be used to getting information about appointments, etc. via email, they may question why your practice is saying use of email is a HIPAA violation, when it is not. But you should educate your patients, counseling them about not sharing information on their condition, treatments in progress, medications, etc., etc., that the internet is not a secure method of communicating, etc. And then you can offer the use of email if they give you an informed consent to receive such emails, for limited purposes, from you.

  28. (Hope this an appropriate question for the forum) As a BA, we are developing a new registration process for clients to use our services. When a new client registers they must create a login name and password. The common practice we see is, a new user uses their email address as a login name. Here’s the concern, small practices use free email services like Yahoo, Gmail, etc. and we are concerned about the security of an email address as a login name. Would it be more HIPAA compliant to require them to use something other than an email address as a login name? Thank you

    • There are not really gradiations of HIPAA compliance – you either are or you are not. I do not think there is anything inherently less secure in using an email address as a login name, vs. some other name they would have to select, since most of them would probably use a variation of their given name. It would be more important to require a “strong” password, e.g., a mix of letters (upper and lower case), numbers, symbols, etc., at least 8 or 10 characters in total. That would make logging in a more difficult task for someone phishing the login site.

  29. My web host (Bluehost) does not sign BAAs for the HTTPS secure websites on their server and they do not guarantee HIPAA/HITECH compliance with a HTTPS. I have a private dedicated server on Bluehost that hosts my HTTPS website. I would like my employees and physicians to enter ePHI into an online form, excluding the patient’s name. The identifier will be a medical record number from the billing company. This information is stored on the website and accessed directly, none of the ePHI (surgeon, anesthesiologist, time, ICD, CPT, quality data, etc.) is ever emailed or leaves the website storage on the server.

    Is this method HIPAA compliant?

    • Here are a couple of things to consider.
      1) You definitely need a BAA if the hosting site has access to the ePHI you are storing on the server. If the server is only accessible by you or your staff, including for maintenance purposes, then you are protecting the privacy of the PHI, as you are required to do. If the web hosting company can access the server for any reason, even if only for maintenance purposes, and will not sign a BAA, then you are allowing potential access to other people who have not agreed to maintain the privacy of the PHI. Any access would constitute an unauthorized disclosure, making you subject to the breach notification procedures. And even if there were no disclosure, covered entities are being fined under HIPAA because they are not protecting the privacy of PHI adequately – even when there is no unauthorized disclosure.
      2) If access by webhosting personnel is not an issue, then you should ask Bluehost for the level of encryption used in their secure channel (the https) that connects you to the server. It should be at least 128-bit encryption.
      3) You can also overcome any of these issues by encrypting the files before storing them on the server. There are very simple, free encryption programs available that you could use to encrypt these files. You can make a dedicated password for each file using the medical record number from the billing company, for instance. Then no matter what happens with access to the server, the PHI you have stored there would be considered protected.

      By the way, you do have a BAA with the billing company, correct?

  30. Hello –

    If we have a patient who has recently changed their phone number and we are unable to reach them via phone but we do have their email address, would it be permissible to email them to contact us to update their phone number even if we have not obtained their permission to email them? Would this be part of “healthcare operations,” or would it be considered a HIPAA violation?

    • A provider sending an email to a patient is disclosing a very minimal amount of PHI, but this should be weighed against the urgency of your need to contact the patient. If the email is designed to prompt a call because you have important information to pass on to them, and you have already tried a sending a notice via US Mail, then an email asking the patient to contact you may be justified, even if it potentially discloses a minimal amount of PHI, and provided the patient did not request not to be contacted via email.

      But if the email is being sent for the purpose of a routine update of a phone number, it probably better not to use email for such a request in the absence of permission to send email to the patient.

  31. I have a medical condition that requires me to find a donor for transplant. I want my personnel group to send a mass e-mail describing my condition and will absolve them from HIPPA laws. Is there any canned forms in PA for absolving employers from distributing these types of e-mails where the employee is asking for help?

    • Vince, there is no particular form to use to give your authorization for such a mass email. I recommend you draft the text of the email you would authorize the personnel group to send on your behalf, and include a statement authorizing them to distribute it, and to whom, as part of your email to the personnel group. Just keep in mind once such an email goes out, it may not stay with the audience you have in mind. You should make sure you are OK with potentially unlimited dissemination of the information about your condition before taking such a step.

      By the way, I hope you are also on the official lists for donated organs managed by organizations such as the United Network for Organ Sharing (UNOS). You may also want to encourage people in your email to consider becoming organ donors by visiting websites such as organdonor.gov.

      Good Luck!

  32. Excellent site, very helpful

  33. I’ve had problems with the billing dept. at my doctors office. First they yelled out my current bill information to an entire wishing area & had patients complain about how it was handled. Secondly they emailed me and copied multiple people in their office including my doctor which has now impacted our relationship. This was part of the email:

    It was brought to my attention that you had another visit with Dr. ******* on 2/10/2015 in our (specific) office and you could only afford to pay $5.00 toward your past due balance of $191.56. As I stated to you on 1/2/2015 you need to take care of your past due balance of $241.56, and provide us with your insurance card for any further treatment. You called in on 1/19/2015 and said you did not mean to miss your appointment on 11/24/2014, so as a courtesy we adjusted your account by $50.00 leaving your past due balance at $191.56.

    When you checked in to our (specific) office on 2/10/2015 you where aware of the fact that you needed to make full and final payment on your account prior to any more services being rendered. I have talked to you, and you have also been sent 3 past due collection letters from my office that state you are going to be placed with collections if you do not make payment. So instead of you taking care of the balance you made a fuss and made a payment of $(amount I paid) toward past due balance making the total amount due $(exact amount)

    Per Dr. ******* you will need to pay 50% of this past due balance which will be $ (exact amt) either prior to your appointment on 3/10/2015 or at the time of check in. Please keep in mind this is a requirement of you and we will not be able to render any further services until you take care of your past due balance. We have tried to work with you as much as possible, but you need to understand these are our office policies and these requirements are for ALL of our patients not just you.

    I realize this is incredibly unprofessional and I would assume it’s a violation but I’m curiouse what you think? Because it’s so negatively affected my relationship with his office and now my health – I’m contemplating filing a complaint.

    • You may have grounds for making a complaint about a violation of your privacy rights, depending on any other details in the email, and if you gave the doctor’s office permission to send you email with PHI in it. Ask the office for the name of the Privacy Officer, and for a copy of their Notice of Privacy Practices. That should have information on how you can file a complaint with the Office of Civil Rights, who investigates potential privacy breaches.

      • Thank you, I genuinely appreciate your help. I see my doctor again tomorrow and I’ll ask for the info you mentioned while I’m there. When this was on top of the incident where she scolded me in-front of an entire waiting area for having an outstanding balance, I just felt almost as if they didn’t take HIPPA seriously nor did they understand that my health issues are a massive financial strain and it’s a very sensitive issue that doesn’t need to be translated to the entire office. Knowing that patients complained to the receptionist & they still thought to follow up with this email has me seriously concerned. I’ve had a relationship with this doctor for 5 years and it’s necessary for my survival to continue going to him because of a rare surgery so I don’t want to be in fear of being a patient because of employees that don’t take these things seriously & treat them with utmost care. Thank you again, info came just in time & hopefully I can keep others from being treated this way.

  34. Hello,
    I was sent an rude email from my job regarding a patients insurance that was inactive. The insurance was Medicare. If you’re familiar with Medicare you would be aware that it states the patients social security number on it. To be ” precise and smart” she then sent me a copay of the patients Medicare card. It wasn’t even an attachment. It was a copy printed on the email and I believe his dob was in this email as well and his full name. Is that not against hippaa ? From my understanding internet use is not secure.

    • You are correct that email sent over the internet without the use of a secure, encrypted email application, cannot be considered secure. While the identifiers you mention can be part of Protected Health Information, they may not be considered PHI without any other health information, like services rendered or the type of healthcare provider being visited. That said, many states also have laws against disclosing personal information that may facilitate identity theft. Sending such information via internet email applications that are not secure may expose the sender to penalties and lawsuits if the information was intercepted and disclosed. Information such as name, social security number and birth date certainly fits into that category.

      • Thank you and not to mention many emails are received through my employees cellphone. Everyone has their cell phone connected with their email which means that patients information went to about 4 different cellphones.

  35. Can a probation department in Texas send medical information electronically to a Intermediate Sanctions Facility without violating Hipaa law?

    • From what we see on the state of Texas website about Intermediate Sanctions Facilities, with tracks for substance abuse treatment, etc., the ISF’s would appear to be covered by HIPAA. It is an open question if a probation department qualifies as a covered entity, even if it is in possession of medical information that meets the definition of PHI.

      A probation department would seem to be an entity that is covered by the Texas Public Information act which may make such an email discoverable when a member of the public asks for them. There is also a Texas Privacy Law which may apply to any breach or unauthorized disclosure of “sensitive” information.

      While it may be permissible to email such information from the standpoint of HIPAA, it would be prudent to get an authorization from the person whose information it is to send it via email. This would go a long way to mitigating any claims of unauthorized disclosure, if the email were intercepted or otherwise made public unintentionally.

  36. I work for a government medical facility. Recently one of our supervisors sent out an email to educate staff on a certain procedure of calling the MD when a patient has been admitted to an off site facility. The email was not encrypted, contained the patients name, identifying government patient number, housing, procedure done and date of procedure. Would this be considered a HIPPA violation?

    • It depends in part on the nature of the email system in use. If the email is sent within a closed network, for instance within a hospital using a hospital email server, then it can be argued that the PHI in the email was not exposed to potential disclosure. When email is sent over the internet with no encryption of PHI, that can be considered an instance of not protecting PHI in accordance with the Privacy Rule.

  37. our company uses outlook with office365, when sending shift reports ,is it Compliant to give first name and medication name and dose. The email is going out to an all staff group on the email.

    • You don’t specify the type of service your company provides, or the email application you are using. If everyone receiving these emails is using a yahoo email address, then you have to consider the email as going through public servers. Google maintains that emails sent from one gmail account to another are going through encrypted channels, so are safer than other email applications that are not using actual encryption of the contents. So this works as long as everyone sending and receiving these emails is using a gmail account.

      You also need to consider the approach you describe to using minimal identification when distributing the information. What happens when there are two patients with the same first name? It is always better to use a unique identifier, especially with something as sensitive as medication. For instance, you could use a unique medical record or account number with first and last initials, instead of a name, especially if these messages only pertain to a limited number of people and typically confirm the medication order is still the same.

  38. Our office has a lot of problems with patients not showing up for their scheduled appointments, would it be a hipaa violation to send an email to a patient regarding their missed appointment? It would only have their first name and would state that they missed their appointment and that a “no show” fee would be posted to their account. It would not have the date of the appointment or any other personal info.
    Also, would it be a hipaa violation to send an email to a patient letting them know that they have a balance in our office and to contact us to discuss their balance? This email would contain the patients first name and the amount of the balance only.

    • In some situations, any email from a medical practice implying someone is a patient could be considered a HIPAA violation, which is why we strongly encourage documenting the patient’s agreement (or lack thereof) to receiving emails from the practice. Such situations include homes where multiple people share an email account, and where one member of the family has not disclosed he or she is visiting a doctor.

      Without patient consent, sending the types of emails you describe may come back to haunt you when a patient decides to complain to the Office of Civil Rights about a violation of their privacy. You can always us the mail to send these notices…

  39. Question. The VA is now using a program called MyHealtheVet. It allows Veteran patients to view certain medical information, and allows the Veterans to communicate with their provider/nursing team. My concern is that a non-medical MyHealtheVet representative is able to actually view the email communication – they tout the reason to be able to do so to ensure that the patient’s medical team receiving the message has acted upon it. Is this a form of a HIPPA violation? I’m not comfortable knowing that someone other than who I send the message to can see it possibly.

    • I am assuming that the non-medical MyHealthVet representative is a VA employee, required to maintain the confidentiality of patient information just like clinicians. It is very common in medical practices and hospitals that “non-medical” staff have access to patient information – people involved in billing and information systems support, for instance. Staff members whose duties require them to have access to patient information are not in violation of HIPAA when they access such information. It is a HIPAA violation when staff members not involved in the care of a patient, or whose duties do not otherwise require them to access a particular patient’s information, do access it. More and more people are being disciplined, fired and sometimes even prosecuted for accessing protected health information they were not required to access in the course of their duties.

      • in this case, a patient used the MHV email option to contact their team regarding specific care. members of the team in question were on leave for a few days. MHV apparently has a ‘time limit’ on email response time. there was a message sent to the team pointedly asking them if they had address pt X’s concern about their X care/treatment. the pt was unaware that communication between them and their medical team could possibly be fully viewed by another party.

  40. I will need to communicate via email with our clinical staff who are offsite. We do not have an encrypted system so we are thinking about using patient initials when discussing health information. In review of the above comments, I’m thinking even just initials would be a violation and it might be better to come up with a numbered identifier when communicating via email between clinicians. As far as I’ve read, when communicating with clients about PHI via emails, it would be acceptable if they are fully aware the system is not encrypted and have signed a statement to that effect and that they are aware and still agree to emailed PHI. Please confirm my understanding. Thanks,

    • We agree is is better to have a unique identifier, vs. using initials, when clinicians are discussing PHI via unecrypted email. Although use of initials may disguise the identity of the person under discussion, there is also room for mistakes due to duplicate initials.

      You are unlikely to be sanctioned for communicating with patients via email as long as they have signed an informed consent about the lack of security of using unencrypted email to discuss their PHI.

  41. Our small Physical Therapy practice has started sending out our New Patient Forms via email after asking them on the phone if they would like to have them sent via email to save them the time of having to fill them out after they arrive for their first visit…which can be a slow process for some people as their are 5 or 6 forms. We ask that they bring them in with them, and we don’t use the last name in the email. The forms are blank of course, but some of them are geared towards specific diagnoses ie a back index, and of course our logo is on them. Once in a while patients will fill them out and email them back, but we do not encourage this.
    I became nervous about this practice when today, an email with the forms attached, was sent to the correct AOL email address,but instead went to a different AOL user! I only found the mistake because the recipient emailed us back letting us know AOL was acting odd and that they did not have anything scheduled with us. Thanks in advance!

    • Your experience demonstrates the old saying about the exception proving the rule. Email is a mostly reliable form of communication – until it isn’t. And it reinforces the need to get consent when using unencrypted email to communicate with patients about anything which identifies them as your patient, or even potential patient.

      You can improve your process by making a note that the patient agreed to receive the New Patient forms via regular email. When the patient comes in for the first visit, be sure that the note finds its way into the chart.

      Thanks for sharing your experience. So many of us think the chance of an unauthorized disclosure do to the use of email is so small that we don’t have to take even minimal precautions about consents, let alone use an encrypted email application. The chances of a misrouted or intercepted email may be small, but they aren’t zero!

  42. I am a member of a homeowners association and on occasion, I receive e-mail from our governing board, in bulk form. Everyone in the association receives the same information. My question is would the laws regarding e-mailing be violated if members responded by using the “Reply to All” button? In that instance, everyone who received the original e-mail would see the response.

    • What you describe is a very common practice, and it is hard to see that replies from one person sent to all other people who got the original email is disclosing – unless the respondent wanted to send his/her response only to the person who initiated the email. In any case HIPAA regulations on privacy only apply to medical providers who are required to maintain the confidentiality of the patient medical information they compile.

  43. here is my question.

    I am a Remote Paramedic in Alaska working in the fishing industry, we use a Physician resource group out of Seattle WA for Medical control and Medical consult for any procedures above the standard paramedic level of training (sutures, etc….) or any Rx medications (antibiotic for infections etc…)however, I am in a rather heated debate with the medical provider over the transmission of HPI. the company I work for has a secure internal server and the medical physician group has a secure internal server, however, if I send an email outside of our internal users then the email is not secure. The physician group is requiring my co-workers and I to send them the full patient name, DOB and last 4 of the SS# or they refuse to talk to us, I say this is blatant violation of HIPPA, I am basically being told by the company I work for, to bad were not that worried about it and you need to do it to stay employed.

    Is this a violation or not?

    • You don’t specify if any other information besides the name, DOB and last 4 digits of the SS# are transmitted via unencrypted email. If after emailing the basic information you describe, the rest of the information is shared verbally, then it falls into a gray area. We usually advise providers that even associating a patient with a practice using unencrypted email could be considered a violation – if the email is intercepted or otherwise read by a person who is not the intended recipient. Of course, what constitutes reasonable protection of a patient’s privacy may be a little different when the setting is urgent or emergent in a remote fishing village in Alaska, compared to an urban setting.

      You can always ask the patient if it is ok for you to send this initial information via email, and then document their consent, e.g., “Advised patient will send name, DOB and 4 digits of SS# to Physician resource group via regular email”. If more detailed PHI must be sent back and forth via unencrypted email, then you are much more likely to be found to not be protecting the patient’s privacy, remote location or not.

  44. My dental provider sent out a mass email to all patients in his practice “advertising” his new non-dental related business. Is this a HIPAA Violation if so where can I find the laws on this? He did violate the doctor/patient relationship, I just want to know if there is any legal recourse.

    • A non-in-person communication from your dentist wherein he markets other non-dental services to you may be a HIPAA violation of the provisions governing marketing of services without patient consent. You can learn more about privacy rights and marketing at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html. You can also get more current information at this website: http://www.govhealthit.com/news/hipaa-final-rule-clarifies-marketing-fundraising.

      Your dentist should have a Notice of Privacy Practices that you can ask for, and that should tell you how to file a complaint with the Office of Civil Rights.

      The OCR may launch an investigation, but the usual outcome is that the provider stops processes that result in privacy violations. To have legal recourse yourself that could result in damages, you have to show that you were damaged by the communication (vs. just annoyed); for instance the unencrypted email you got identified you as a dental patient and that was somehow detrimental to your situation.

      Please note our comments should not be considered legal advice; for that, contact an attorney. Good luck.

  45. Are consumers allowed to substantiate FSA claim receipts via unsecured email with their FSA claims administrator, I’ve had different experiences with different providers.

    Some allow email of receipts, some tell me it can only be faxed because email is a HIPPA violation.

    • HIPAA does not apply to consumers, at least as users or custodians of their own private health information. So you can choose to email it to anyone in any fashion you choose. Covered entities, including organizations that process or create PHI, must maintain the privacy of that information. Covered entities can use unecrypted email to send PHI, but they certainly are at risk of committing a privacy violation if the information is intercepted or inadvertently disclosed, and they had not obtained a person’s informed consent to use unecrypted email.

      Faxing is considered digitally safe, because a traditional fax does not start as an electronic document or go through servers on the internet – at least until the advent of VOIP technology for sending/receiving faxes and making phone calls. Covered entities using VOIP solution for phone and faxing should have Business Associate Agreements with their VOIP provider, and make sure the technology the VOIP provider is using meets the HIPAA Security Rule provisions.

  46. Can a statement or ledger of charges I incurred at Dr’s office be emailed to me ….when I request it?

    I wanted to see charges from one day, itemized out. (needed it for flex card inquiry) I ask that they email it to me. He stated due to HIPPA they cannot email but they can fax it or mail it.

    At my office the faxes come into an Admin Room where others can see the fax, print the fax, read the fax, everything is there for all to see. (It is not medical info per se but because of the name of the practice they could make assumptions about my medical issues that I do not want made about me….I go for something other than what their name would imply) If he emails it, it comes directly to my computer my email address that is password protected. No one but me will ever see it.

    It is not medical information, it is just charges?? They are HIPPA applicable? How do they feel email is less secure than fax? Fax can be one number off and will most likely go through. Emails are more unique and it is less likely that a miss of one letter or number would result in an email address that is actual and being used ….which means that person with the one letter difference gets my Dr bill…..big deal and very unlikely to happen! the fax number miss, will go through….

    Thanks in advance for your reply

    • If an itemized list of services includes dates of service and CPT codes which describe the services provided, it is protected health information (PHI). Providers faxing that type of information to a public or office fax machine, when they have been advised of the setting or asked specifically not to send it via fax, are at risk for causing an unauthorized disclosure of PHI. Faxing from one fax machine to another is considered secure from the standpoint of using an electronic means to send information; that is, it is not subject to unauthorized interception while en route. Of course there are other possible errors that can creep into faxing as you point out, but those errors fall outside the parameters of the HIPAA regulations.

      PHI can be emailed, but unless it is sent via an encrypted email application, we always advise providers to obtain an informed consent to send PHI via email. An informed consent would include telling the recipient that unencrypted email is subject to interception by other parties, and cannot be considered secure. If you elect to receive your information via such an email, at least you were warned and can decide if you want to risk using that method. The risk of interception and misuse is low, but not entirely absent.

      Most employers also specify that emails sent and received on your office computer or network and the property of the employer, and you have no expectation of privacy of the information, if the employer decides to review it.

      There is always snail mail, if everything else is unsatisfactory and time is not of the essence….Good luck!

  47. Jim, We correspond with the billing office; part our organization, and send internal encounter numbers in the subject line. This encounter number is associated to the patients visit for the date of service we are referring to. Our Compliance Officer just informed me that we are in HIPPA violation. This is really the first time that I have heard of this and wondered where it came from. Hence, I found your site. Could you give me the HIPPA violation we are committing so that I can send out an e-mail to our billing office? We thought we had a fail-safe way of communicating our needs without disclosing PHI. Thank you. I enjoyed reading all the other questions and responses.

    • You do not specify what the “internal encounter number” looks like, or what type of email system you are using to communicate with the business office. Some systems incorporate some of a patient’s name into the account number for the patient, making it potentially easier to figure out who the patient you are referring to is. Email systems that go outside the organization’s server can also be problematic if they include PHI. In general, you must protect the privacy of the PHI. You can accomplish that by 1) minimizing the PHI you put in an email; 2) using a secure email application; or 3) making it impossible to identify the patient whose PHI you are including in the email. If your internal encounter number is not subject to being “solved” to identify the patient, you are probably not violating HIPAA Privacy rules.

  48. I wasn’t able to read each entry in this string, so I apologize if it’s been previously covered. My question invloves medical record requests.

    Our practice frequently sends entire medical records to our patients’ attorneys. The requesting attorneys always send a release with their requests, except for the cases of workers’ comp requests, which they claim is not legally bound by HIPAA regulations.

    Can medical records be sent via email, if all of the prescribed precautions and privacy measures are adhered to?

    • HIPAA Privacy Rules contain an exception to the requirement for a release of medical records information to be authorized by the patient (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/workerscomp.html), but even without an authorization, covered entities (like your practice) must maintain the confidentiality of those records when releasing them. Medical records can be sent by email, but in that circumstance it would be highly advisable to have the patient’s consent to releasing medical records using email – unless you utilize a secure email application that encrypts the message and attachments you are sending. It is one thing to send an email with some PHI, releasing an entire medical record via email is potentially a much bigger issue for the person who is the subject of the record.

  49. Jim,
    We are implementing a new system, but in order to communicate with some of our own employees from the system we would not have secure email as we do within our own system. My question is what information can I use to notify a dept that i need a record scanned, or a status changed, or a denial was issue? I know I cannot use the name, but can I use the hospital stay number (acct number) all by itself, or would that number be considered a hipaa violation even if it is not coupled with any medical info?
    Thank you.

    • Use of just a hospital account number or medical record number, with no additional identifying information, would not be considered a release of PHI. Just make sure that the number you are using is sufficient to identify for the recipient the record you are asking to be scanned.

  50. We outsource our billing. The billing company occasionally emails us patient names and dates of service when they need additional info to submit the charge. Hipaa breach?

    • A patient name, dates of service and the name of the practice (identifiable from some other information in the email or even in the response that you send) could be considered PHI. We recommend you find another way to have the billing service identify the patient for whom they need additional information. Or better yet, require the use of a secure email application!

  51. Jim,

    What must be done if the patient does not agree to receive PHI in unencrypted email or unencrypted text message? What are the options?

    What is the safe harbor and is it really new?

    • There are no “safe harbors” when it comes to protecting the privacy of patient information, especially PHI.
      Some Options when a patient does not agree to receive PHI in unencrypted email or text:
      1) Don’t send the patient unencrypted emails or texts containing PHI!
      2) Ask the patient for a confidential fax machine and fax the information.
      3) Send the information via US Mail.

      Patients who don’t want PHI sent in unencrypted email or text are telling you where the bar is for communicating with them. You don’t have any choice but to respect their preferences.

  52. Hi,my practice recently sent out a mass email to all our patients notifying them that we moved and changed our practice name. We did not use the BCC option in the email and all the recipients can see the other individuals names and emails. Other than thier names associated with thier emails nothing else but our new office name and address was in that mass email. Is this a hippa violation and if so what do we do to correct this?
    Do we send out another email telling everyone about the breach and apologize? Is that enough legal wise or is there something else we need to do?? Did we violate the HIPPA laws????

    • There are two things to consider when using email:
      1) Many people do not take seriously the possibility of unencrypted emails sent to them being intercepted and read by someone else, but it certainly is possible. And there is no protection for unsecure text messages. Text messages stay in the cloud, possibly forever, and upwards of 40% of text messages are sent to the wrong number.
      2) In some situations, just disclosing the name of a physician or practice that a patient in is or has visited could be considered an unauthorized disclosure by a patient. This may be a very limited disclosure of PHI, but even that much information may be sensitive for some people.

      For these reasons, we recommend not sending any emails a patient unless they have authorized you (preferably in writing) to communicate with them in writing, and what can be sent via email, e.g., appointment reminders, requests to contact the office, etc.

      You may also have an issue with disclosure of email addresses, which are considered personal information in some states, and require a breach report at the state level.

      So what to do? Depending on how many email addresses were disclosed, you may have to publish a notice in the local paper as well as notify patients and file a breach report. You may want to start by sending a letter to your patients asking any of them who were concerned about receiving your mass notification email to contact you regarding their email preferences. You should also make sure your policy states you only send emails to people who have consented to receive emails from your practice, and that you will not send PHI via email unless it is encrypted.

      If you get little of no response, you may decide not to continue with a breach report. If you get several responses showing concern, you should seriously consider reporting this as a breach. You can find the breach regulations at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

  53. Our secretary accidentally sent a corporate email meant for the business manager in our building and was sent to all corporate. It had patient information for billing purposes. She was terminated for it for violating HIPPA. Our system is MS Outlook/365 and it is encrypted. I am the Dietary Manager and get sensitive messages sent all day long, but since it is corporate encrypted email, it is within protocol… So how could her mistake be a violation?

    • It is not clear from your note just what PHI was included in the email. The issue is not so much that it may not have been encrypted but that PHI is to be shared on a “need to know” basis. Sending PHI to a lot of people who do not need that information in their duties is a violation of HIPAA. I hope the sensitive messages you are receiving are necessary for you to carry out your job duties!

      It is possible to encrypt messages using MS Outlook/365, but the sender also has to have the key to decrypt the message. Hopefully the email set up you are using takes that into account.

  54. This is the most helpful website I have found in 2 days of searching!! BUT I have a situation not mentioned previously. I gave a patient my private/home email address to send me a like to a public website that he wanted one of our doctors to view. No personal nor healthcare information would be exchanged. No discussion regarding his care, diagnoses, etc. I was harshly reprimanded that I was in gross violation of HIPPA laws by my employer. What do you think? (It is a long and sorted story as to why he did not/could not email this link to our office directly.) ANYONE’S opinion would be appreciated tremendously! Thank YOU!

    • It is hard to see how receiving an email from a patient with a link is a HIPAA violation if it did not include any information about the patient, why he was sending the link, etc. It is always questionable to give out your personal email address to someone since you don’t know where it will go or how it will be used in the future. Next time, copy the link over the phone.

  55. Good morning,
    Our company is trying to determine if there is any violation when using an email (sent from the client to the clinician) as part of the clients EMR. We have been told we are unable to use them as an email and that they needed to be converted to a word document. Is there a HIPAA rule regarding medical records using personal emails in the EMR?
    Thank you for any help you can provide.

    • It is not clear what role your company has in the process of recording an email originated by a client (patient?) into the “client’s” EMR. As noted in other responses to questions about email, HIPAA rules are not specific about any particular technology or practice. Instead, creators, users and maintainers of PHI must safeguard PHI from unauthorized disclosures.

      It is good practice to record all messages from patients in the medical record, electronic or otherwise. Capturing the contents of an email from a patient in an EMR would be in accordance with that good practice. But you do need to be certain that capturing the email as an electronic message, as opposed to scanning in a Word document or pdf, does not result in any vulnerability for the EMR system, such as allowing viruses, trojans, etc.

  56. We are the billing service for healthcare professionals. We have our own email server, am I allowed to email my coworker about a patient & name the patient in the subject matter?

    Thank You

    • You don’t specify the information in the body of the email, but it certainly may contain information that would be considered PHI. So it may be better to use the patient account number in the subject line, unless the body of the email also contains the patient’s name. In any case, you want to make sure such emails do not go outside of your internal server, and the server is protected from unauthorized access.

  57. Is it a HIPAA violation to send a log of medical record numbers (to track productivity) via email (internal secure). The only information listed on the form are the medical record numbers. Would there be a difference if only account numbers were used?

    Thanks for your input

    • Information like a list of medical record numbers (or account numbers) would not even rise to the level of being PHI, unless there was someway a person could associate the MR or account number with the patients and therefore identify them. Sending a list via secure internal email would not constitute an unauthorized disclosure.

      • Jim,

        I work with ADT (admissions, discharge & transfer) datasets extracted from an EMR for productivity analysis.

        These datasets do not contain anything that could directly associate to an individual patient at present, however for a deeper analysis I want to track multiple visits by an individual.

        Based on what you’ve said above it sounds like I could use their account number or medical record number for this.

        For this deeper analysis I would want to include that identifier in the report. The recipient would be someone authorized to use the EMR system from which the data originates (in most cases it would be the attending physician).

        I am aware that #8 & #18 on the HIPAA Privacy Rule identifiers are “Medical record numbers” and “Account numbers” respectively. (source http://www.oshpd.ca.gov/Boards/CPHS/HIPAAIdentifiers.pdf)

        To protect the data I plan to use encrypt the value stored in the database (“at rest”), and all communication will be TLS encrypted (“in transit”) from the database server to the application server to the web browser.

        Is that all I really need to do to handle this in a compliant way?

        • I think you have covered enough bases to defend yourself against a claim of a breach in case the data files were ever hacked into. The standard is to take reasonable precautions, which you seem to be doing. Of course the recipient needs to maintain those protections when he or she receives and stores the data locally.

  58. Is a person full name, date of birth and doctor’s name in paper faxed to a non-covered entity be considered as ePHI?
    thanks

    • While faxing is considered a secure method of transmission (since faxes are not subject to interception the way information sent over the internet potentially is), sending something via fax does make it ePHI since it has been changed into an electronic format.

      While the information you describe seems minimal, some people may feel just the fact that they are visiting a specific physician should not be disclosed without their authorization, visiting a mental health professional, for example.

      You do not specify why this information is being sent to a non-covered entity. Unless that entity is a business associate, you may need authorization from the patient to share the information. This especially true for information that is shared for marketing purposes. While you don’t need authorization to share information for healthcare operations, it is hard to see why the information you describe would be shared with a non-covered entity that is not a business associate.

  59. Can person full name, date of birth and proprietary ID number be considered as PHI? Ex: Joe Doe, 11/24/1955, 145697856697.
    thanks

    • The information you list does not seem to include any “health” information, so it would not be considered PHI. Many states do have laws and regulations concerning the privacy of indentifying information like birth date, Social Security number, etc. So depending on what you are doing with the information you describe, you should check your state laws/regulations on protecting such information.

  60. If I text a colleague using my personal phone to their personal phone a patients first name and last initial, and stating “they will need to have thier R and R completed” is that a HIPAA violation? No other identifying PHI was disclosed. I was going to be out sick and wanted to make sure my appt. was covered.

    • This minimal amount of information may not be seen as a violation. Just keep in mind how easy it can become to include additional information in other circumstances that leaves you vulnerable to appearing not to protect the privacy of patient information.

  61. We externally emailed as an attachment a password protected Excel spreadsheet containing PHI. The email was sent to a consultant with whom we did not have a signed Business Associate Agreement in place.

    We are conducting a risk assessment to see if we need to report to OCR. Does the act of emailing PHI outside our organization count as an “unsecured” transmission if the PHI data itself is encrypted?

    • Password protection is not exactly the same as encrypting a file, but you may have a larger issue with sharing PHI with a consultant with whom you do not have a business associate agreement. Barring some fact about the situation you have not mentioned (such as you didn’t send the consultant the password so they can’t open the file), sharing PHI in this fashion definitely could be considered an unauthorized disclosure, making it reportable and requiring notification to patients affected and reporting to the Secretary of HHS as a breach.

  62. If we asked the patient for an email address to send electronic records, is it hippa compliance for them to give us a friend or family member email to recieved their records?

    • If you are sending them somewhere besides directly to the patient, it would be advisable to get such instructions in writing. Regular email is not a secure method of sending PHI in any case, and using another email address besides the patient’s adds another factor that leaves you vulnerable to an unauthorized disclosure, e.g., if the friend or family member forwards the records somewhere else.

  63. I sent a picture of a patient’s wound to my office. I do home health and my agency really hasn’t done anything with what I’ve reported. Is it a violation when my phone, email, and the agencies email are encrypted? Thank you!

    • It is not clear what you mean by your agency hasn’t done anything with what you reported.

      In any case, if you are using a secure email application to send a file containing a picture, that should not be considered a HIPAA violation. You mention your phone is encrypted. Make sure you mean everything on your phone is encrypted (rendered undecipherable), not just password-protected. Of course, you can consider deleting a picture after you have sent it so it won’t be found on your phone in the future.

  64. Hi Jim,

    We are an outpatient surgery center that uses CTQ solutions (which is on a secure website and is HIPAA Compliant) as our patient survey. If the patient has not shared their email with the surgeon, we ask if they would like to share their email with us and have a survey emailed to them or we can provide them with a paper copy. On one particular patient, she had shared an email(which turned out to be her husbands email address) with her surgeon of which we put into our EHR. When checking in at our front desk, we have our patients verify that all their information including their email is correct. The survey was emailed to her. The survey was filled out, but a comment was left that stated that they felt this was a HIPAA violation. This patient has no other email and she and her husband share an email. Of course we find this out after he has opened this survey. The survey has no information other than the patient name on it. It simply asks for comments or suggestions pertaining to a surgery that happened on 12/00/00. A password is required to go on with this survey also. So, could you tell me are we in a HIPAA Violation. We don’t know when the email address is put in, if it is in fact the patients or a family member.

    • You are a real-life example of a situation we often warn people about when it comes to using email for communications: you can’t always be sure who is actually reading the email on the other end! A further step we recommend is to have patients fill out a form where they identify the methods the provider can use to communicate with them, e.g., phone, with messages left or not; by email, with the email address specified and what can be sent; by text message, etc. This gives you some of the protection of an informed consent on the use of communication methods, which is ever-more important today. I am sure someday there will be a case where the patient has supplied an email address, but decides later they didn’t think you were going to send PHI via the email! And in any case, you should avoid sending PHI via email unless your are using a secure email application.

      I would say using an email that the patient shared to send a message about filling out a survey is not much of a HIPAA violation, if it is one. You can make it more general by saying it is pertaining to a service the patient had on the date. Hopefully most people will remember the service was surgery!

      Remember, the HIPAA Privacy regulation requires a covered entity (and business associates) to protect the privacy of patient health information. It is not specific to any particular technology or policy. So always ask yourself if your actions would be seen as protecting patient privacy before you adopt a process or technology.

  65. I am designing a healthcare app for IPad use. The application contains PHI in terms of treatment options & choices. If we do not enter any patient names, phone numbers, addresses, DOB, or emails but instead only use an ID # are we still held to HIPAA PHI requirements & standards? Thanks.

    • If the only identifying piece of information is a unique ID # that is not otherwise linked to the PHI you are sending, you probably would be found to be adequately protecting the privacy of the PHI. Many people try avoiding the use of patient names or other identifying data, but think about using identifiers like patient initials or first name and last initial. This has the potential for confusion about who the patient really is, so a unique ID #, that must be accessed separately is one way to avoid confusion.

  66. When emailing medical records is it required to email with a secure email that requires the recipient to use a username and password to access the medical records, or does a secure encrypted email with a document attachment be compliant? I cannot seem to find an answer to my question as the references use secured or encrypted. What is secured? Would that be the same as encrypted?

    • “Secured” usually applies to a method of transmission, for instance an internet site with “https” instead of “http”. Messages/emails sent via an https channel are encrypted during transmission, usually using 128-bit encryption technology. “Encryption” usually applies to using technology to make files undecipherable without the use of the encryption application and appropriate password (key). Sending medical records in unencrypted files via a secure email application as you described above, is usually considered sufficient for HIPAA compliance purposes.

      I hope this helps!

  67. Can the guardian of a child in a residential placement request/receive any email correspondence between the residential site and the outpatient clinic from which the child was referred?

    • Typically, email correspondence is not part of a medical record, so it may not be a requirement to furnish it under state laws governing the content and releasing of medical record information. However, you can ask the outpatient clinic to copy you on emails they send to the residential site, but they do not necessarily have an obligation to agree to your request.

  68. As an employee at off site location of hospital, I was asked by manager to provide dr note by “scan” and send. I inquired if I was to scan and then email to mg, and if I was, then I was not comfortable as script has PHI and I would prefer to drop off directly to HR or fax direct to HR. Mgr stated email was more secure but would be over to pick up copy. (This is AFTER our office received an email from mgr stating that we were not to me using emails to send patients information that contained PHI because not secure).
    My question is this: if my manager scanned the document I provided her (that has my PHI) then sent that via email to HR, is that in violation of HIPAA and my rights as I personally requested NOT to send via email and that IS in writing? Manager is NOT a provider. Thank You for any feedback.

    • If I understand this correctly, your situation is a little murky. The PHI you refer to was created by a physician who was not part of the hospital. That physician has an obligation to protect it, but since it is something about you in your possession, it is up to you to use it; HIPAA regulations do not apply to you as an individual in possession of your own information.

      Email is not secure (unless it is a secure email application), while fax as a method of transmission is secure (unless it involves using the internet to send the fax, vs. a landline and fax machine).

      Once you turned over your copy of the information to your manager, she had a duty to maintain it as confidential, not due to HIPAA, but due to internal hospital polices on protecting employee information (to the extent they exist), or possibly state laws on protecting the private information of employees. You might ask the HR department how it protects medical information about employees, and what managers are expected to do when they are in the chain of custody of such information.

  69. I am a home care nurse & my agency does not give its nurses laptops, cell phones or any other device for documenting patient care, confirming appointments, etc. All of the nurses use their personal laptops and email the patient’s records of care to the office in an attachment. I know that my laptop is not encrypted. We use our own personal mail addresses through our own service providers—-mine is AOL. I questioned the owner about this when I first started, and he brushed it off (with good reason, I’m sure). I have dozens of patients’ medical records stored in my laptop, with identifying information as well as medical history, treatments, etc. Sometimes we use an agency configured computerized document (created with Excel) to chart and sometimes we have to write the treatment on paper with pen, scan the documents and then email them to the office. We do not use Outlook or any other program—just our personal emails. I have scoured the internet looking for the answers & can’t find any. I’m sure the reason is because compliant home care agencies give their nurses laptops or tablets with medical record programs that get transmitted through an encrypted system. My agency won’t spend the money on laptops or tablets—they just want us to use our own electronic devices. Is this legal? I don’t want all this PHI on my personal laptop, for a variety of reasons, first & foremost being the HIPAA violations. Is a home care agency required to distribute “official” laptops/tablets/cell phones to nurses for contact with patients, patient record keeping, etc., that is transmitted via an internal, secure network? I do not exchange emails with patients, but I confirm appointments via texts and telephone. All of the medical information transmission is between my personal laptop and the agency, over whatever wi fi service I can access—and many times that is a public connection. I’d like to know where I can find this information to present to the boss/owner of the agency. Thanks.

    • A home care agency is not required to furnish laptops/cell phones to its field personnel, although many do because it increases the efficiency of the operation. Does your agency employee handbook or your employment terms and conditions require you to utilize specific personal equipment like tablets or cell phones? If so, state labor laws and regulations may bear on whether your employer can require you to use your own equipment for business purposes without compensating you for such use, or furnishing the required equipment.

      You are right to be concerned about creating, maintaining and storing PHI on your computer without encrypting it. You can download free encryption software and encrypt the files yourself, and password protect the computer so even if it were lost or otherwise accessed by someone who shouldn’t receive the medical information on it, it would not become an unauthorized disclosure.

      It is also problematic to send files containing PHI via non-encrypted email. Although there are not specific prohibitions against sending PHI this way, if the email were hacked or otherwise intercepted, the organization certainly could be found to not be protecting the privacy of PHI because it did not use more secure methods of transmission. You can find some information on using email at http://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html.

      • The agency requires nurses to have laptops and cell phones. They want the patient records to be transmitted electronically. Even if the records are not electronic, and are written with pen and paper, they want the paper to be scanned and emailed to the office.

        My point is that I shouldn’t have to do anything “special” to my own personal laptop just because my agency is making me use my own laptop. I purchased it myself, and until the agency either pays for it or gives me one of theirs, I am not downloading encryption software or password-protecting anything. I didn’t do it before, and I am not doing it now.

        Interestingly enough, a virus crashed the hard drive on my laptop 2 days ago, and I cannot access any of the patient information on it. I am going to have to pay someone to recover and transfer the data on it because i do not know how to do that. That is definitely not HIPAA compliant because a completely non-related 3rd party is going to see the protected health records while they are transferring the data. Even if I didn’t want to transfer the patient data, it is going to appear because it is all stored in Microsoft Word with all of the other documents I have and want recover/transfer.

        Additionally, a few months ago I received an email from one of the secretaries at the agency, and I was suspicious of it. Shortly thereafter, I received an email instructing me not to open that email because her computer was hacked. How can their system be secure when stuff like that is happening?

  70. My dad is on life support in another state, hes going on 2 months now. Is the hospital allowed to email me updates on his condition?

    • The hospital in this situation is required to protect the privacy of the protected health information (PHI) it is creating and maintaining about its patients. Typically, before disclosing information about a patient, the institution gets permission from the patient to release information when asked, or otherwise makes a good-faith effort to identify a person or persond who may be authorized to receive information. The use of email by covered entities is not prohibited, but unless the hospital is using an encrypted email application, it could be found to be enabling non-approved disclosure of PHI by transmitting it via a non-secure method. Of course, email is also a little more cumbersome since there may be a lot of information to convey about a person on life support. Ask the hospital if it has a policy against using email to provide these updates. They may ask you to sign a statement to the effect that you understand the risks of using non-secure email, but want it used anyway. They may also say they just won’t provide the information via email, and there is no requirement that they do so.

  71. If you are a HIPAA compliant company can you share limited medical information with departments such as Human Recourses/Benefits to the department the associate works in via email? What if the company is NOT HIPAA compliant, can you share limited medical information departments such as Human Recourses/Benefits to the department the associate works in via email? Thanks for your help.

    • I am not sure what you mean by a HIPAA compliant company. Organizations are described as covered entities (healthcare providers, insurance companies, etc.) or business associates of covered entities. Covered entities are usually organizations that create or maintain protected health information (PHI), while business associates usually receive PHI from covered entities as part of the services they provide to covered entities. Covered entities and business associates are required to protect the privacy of PHI they create, maintain or otherwise receive. A company that is not a covered entity is not required to comply with HIPAA Privacy regulations when it handles or communicates medical information about employees. Of course it may have a duty to safeguard the confidentiality if such information, possibly described in its own policies, but HIPAA would not apply.

  72. I am working on a case study in the book related to the e-mail breach of privacy.

    The child is diabetic. He maintains his personal digital assistant, hand-held device, that interfaces with his glucometer and provides information based on inputted data from him and his parents. This information is transmitted to his MD/hospital, school nurse, case manager, and to the parents’ home computer.

    Case manager sent an e-mail to his parents via their home computer asking them to bring child in for an assessment. She was in a hurry and decided to add more information to the message than normal reviewing with them the importance of maintaining control over the diabetes and expressing concern since he has not checked in with you lately. she told them that she thinks he might be over-doing it since he is trying to play football. She asked how they are doing and if they are still attending their counseling sessions.
    The emailed was sent by 4 year old sister to all of the diabetic lists that both his parents belong. The parents are outraged.

    Few questions:
    1. How would you feel in this situation if you were the person who sent the e-mail?
    2. What is the problem?
    3. What ethical principles would guide you in this case?

    • If I were the person who sent the email to the parents with these concerns, I would be concerned about emailing PHI using a non-secure email application where the email includes PHI, e.g., the diagnosis of diabetes, etc.

      There are two potential problems:
      1) The case manager may not have had consent from the parents to communicate about the child and his PHI via non-secure email. Although many people are very casual about what they share, and give others permission to share, using email. Providers should always be the party reminding patients to think about how secure a personal email address is, and if there is personal information about their medical condition they would not like to be shared on Facebook, etc.
      2) The email address used is accessible by others in the household, who may or may not be privy to the medical information to begin with, or how to handle it when it is received. We usually cite various examples of how a family email address may compromise the privacy of one person’s information, but the 4 year old sharing it with other parties is a new one, and very illustrative of how you cannot always depend on maintaining privacy, even in family settings.

      The ethical thing to do is to apologize for the case manager’s role in disclosing information that the parents considered private. If the case manager did not follow the parent’s instructions on how to communicate with them, then it may be necessary to notify the parents of a breach of their son’s PHI by sending it via non-secure email. The case manager did not distribute the information to other parties, but she surely facilitated it. Of course, the parents should be a little outraged at themselves for not realizing another family member could access and share email messages about her brother’s condition. Lessons to learn all around!

  73. I process billing for a doctor’s office. On occasion, bills are returned due to a wrong address on file. I’ve considered sending an invoice to the patient via email as an attachment. Invoices include patient name, address, and services rendered. If I were to send these via email, would we be in violation of HIPAA?

    • We strongly recommend communications via email with the information you are listing (which is PHI, by the way) not be sent unless 1) the patient has agreed to receive such information from the practice via email, or 2) you are using a secure email application to send the information. Even then, you cannot be certain the person opening the email at the other end is the person you are trying to communicate with. We recently received a comment from a provider that sent information about a minor with diabetes to the parents because they had not been responding to phone calls. The email was opened by another sibling, who forwarded it to all the email addresses of a couple of juvenile support groups the parents belonged to. Needless to say, they were very upset about this unauthorized disclosure!

      Whenever there is a potential unauthorized disclosure and a complaint is made to the Office of Civil Rights of HHS, an investigation can be started. And during an investigation, all aspects of the way covered entities and business associates protect PHI can be examined. CEs and BAs are being fined for not protecting PHI – even if there was no actual unauthorized disclosure. So even if there is no evidence that an unencrypted email was ever intercepted and read by anyone else, the OCR may take the position that the CE/BA should have known an email could have been intercepted and should not have used such a communication method without the consent of the patient and/or the use of protections such as an encrypted email application.

  74. Hello I work for a healthcare consulting company and an email containing PHI was sent to an MSO we have an working with without encryption. The report attached contained patient health plan member Ids and patien address and DOB. How do we handle and repair this?

    • Although elements like member IDs, addresses and DOB are identifiers, those items themselves (if they are the only things on the report you mention) are not PHI in and of themselves. PHI would include information in a designated record set such as diagnosis and treatment information. If this type of information was not in the report, then there may not have been an unauthorized disclosure of PHI.

      That said, many states have regulations about disclosure of information that can be used by identity thieves. You should review the regulations of the state the MSO is operating in to see if the MSO has an obligation to notify the individuals or state officials on the potential disclosure of private personal information. And then you should advise the MSO to use encryption method(s) to protect information that is going to be sent via email, like encrypting files before emailing, or using an encrypted email application. There are free software applications that enable users to encrypt files before emailing or even loading into FTP sites.

  75. If patients have given our practice their email on their new patient information, can we send out our office newsletter to them with the option to remove their email if they don’t want to receive future editions?

    I am a surgeon and I have had patients send me texts on the weekend as they have my cellphone for emergencies. I call them back and try not to communicate via text. On occasion, they have requested to send a picture of their wounds…is this a violation if they request? The only PHI would be their phone number that it comes from…

    • We usually recommend practices document the methods patients agree to receive information, including phone calls, messages on answering machines, emails, text, etc. Texting is a particularly vexing subject since until recently, there weren’t any easy to use encryption methods for text messages. Texting is so convenient, for both parties, that it will probably continue despite the risks. These include the fact that text messages may stay on servers somewhere for an indefinite time and later viewed by someone who was not an intended recipient.

      It is not a violation on your part if someone elects to send something like a picture of a wound. They should be made aware of the risks of sending such a text, which you can do when you document their communication preferences. And you should not keep such texts in your phone any longer than necessary.

  76. In private practice and we have a patient portal. Clients that choose to opt in to electronic communications receive appointment reminders and also invoice reminders and payment statements. In these invoice and statement reminders it has there name invoice# and amount and/or payment amount and advises them for further they should log into the secure patient portal. We have a BAA with the portal company and the patient has agreed to these communications. Does this sound like proficient security and does this sound like a good practice. Or should we just stick to sending encrypted email invoices that advise them they can pay in the secure patient portal.

    Thanks for your time
    WJ

    • It sounds like you are doing everything we would recommend to a practice that is utilizing a portal. I assume the portal is accessed via an encrypted channel (https), and that you are documenting the patient’s consent to utilize the portal. Such consent is usually built into the message a patient gets when invited to begin utilizing a portal. Congratulations on improving the ease and security of communications with between your patients and your practice!

  77. Hello,

    I work in a large hospital. At the end of our shift we are required to send a census email to the next shift with a list of inpatients that are hooked up and being recorded/monitored. This email includes the patients first and last name, the room number, the recording machine number, the referring doctor name, and the start date/time of the brainwave recording. The only facility identifying information on the email would be found in the employee recipients email address which is the employee name @ blank health . com. On the subject line of the email we indicate the date/time of the census and we are supposed to include the word “SECURE”. Occasionally someone forgets to put the word secure. It does not change the recipients view. This is sent using Microsoft outlook which is what the entire hospital uses. Last week I accidentally sent my email to a fax machine number “address” rather than a regular email address. I did not get a failure notice. I contacted our IT department after The fax number address was brought to my attention, and the IT department said the fax number was nonexistent. Does this require me to report this to the HIPPA compliance department? My manager is insisting that I fill out a HIPPA violation report and turn it in since it is of great importance that the compliance committee investigate where this email ended up. (It was his fax machine number that was unintentionally selected as a recipient.) No one can seem to identify the location of this fax machine. I believe it was an old fax machine number that had not been deleted from the global address phonebook. Would this be considered a HIPPA violation? Thank you.

    • This could be a HIPAA violation, so the Compliance Committee should go through the process of evaluating the possibility of unauthorized disclosure as outlined in the 2013 Omnibus Final Rule. If this really is a nonexistent fax number, then the Committee may conclude there is a low risk that an unauthorized disclosure occurred, and there is no breach.

  78. the company i work for has on line appointment scheduling on our website for client facilities (dr offices). we had a patient send an email to complain that the dr office cancelled the appointment. In the patient’s email, the patient disclosed PHI. this email was accidentally forwarded to the dr office with the PHI info (that the patient supplied). is this a violation given the patient disclosed the phi? we have a business associate agreement with the dr office.

    • Cindy, it is not clear if the patient understood that when he or she sent the email complaining about the cancellation that it was going to your company, or to the doctor’s office. If patients think they are communicating directly with the doctor’s office, then you may have an issue with forwarding an email with PHI via an unencrypted email application. As a business associate, you have an obligation to tell the covered entity (the doctor’s office) that there may have been a breach. Your organization and the doctor’s office should evaluate the breach using the criteria in the 2013 HIPAA Omnibus Final Rule. Then you should decide on whether your organization or the doctor’s office will notify the patient.

  79. I work for a optometrists office. We are getting a lot of request for glasses prescriptions and receipts to be faxed or emailed. But we generally only fax prescriptions to another office where they might be getting glasses there. But with the increase in internet sales we are getting more and more request from patients wanting their prescriptions. So we are getting a lot of patients that want us to fax or email their presciptions to them. What is the correct way of doing this under hippa? Thank You

    • There are a couple of things you can do. First, ask patients if they have a preference on how to receive information after they leave the office, e.g., emailing, faxing, etc. Document their response, with a form if possible, otherwise with a dated note in the record of what they authorized for such communications. If you are receiving a request over the phone, verify if the fax is private to them or if they ask for email delivery, remind them that email is not secure, and there is a small risk their information may be discovered by other people. Then document their agreement to use the method of communications. This will give you some level of protection if someone ever comes back to complain that their private information was compromised because of the method you used to send a prescription or receipt. You will have warned them of the lack of security with email or the use of a non-private fax machine.

  80. We are a hospice agency and have contracts with Skilled Nursing Facilities. (some are 30 miles away). Is is ok if we email the patient’s Home health aide / nursing schedule and Careplans to 2 identified individuals at the SNF so that that this information is more readily available and in their charts in a more appropriate timely manner. We are looking the Director of Nursing and the MDS coordinator as the 2 recipients of the email. Thank you

    • As we have pointed out many times, using unecrypted email to send PHI is taking a chance that the information will be disclosed to unintended recipients, just due to the nature of email. You can overcome this in at least two ways:
      1) Implement a secure email application that encrypts the contents of emails that you want to send with PHI in the email or attached to the email.
      2) Use an application to encrypt the attachments. There are free versions of these applications (like EncryptOnClick from 2brightsparks), but they require both parties to have a copy of the application and both to know what the password (the encryption key) is for the encrypted files. You can overcome this by adopting a standard password for each SNF that you send PHI to, and making sure the recipients of the emails in the SNFs know the password. If you use this approach, do not send the password in the same email that contains the attachment!

  81. Is the patient’s signed consent to release information form itself PHI? I would think it is, being part of the medical file.

    • Not every form in a medical record may be considered or contain PHI. We typically take a very conservative approach and advise that even the information that a person is being identified as a patient of a covered entity (physician, hospital, etc.) may be PHI. A Release of information form that identifies the medical organization releasing information and the medical organization receiving information may be PHI to some patients, e.g., an emancipated minor asking for release of medical records information from a Planned Parenthood clinic to an obstetrician’s office may be extremely sensitive to disclosure of even limited information about such records.

  82. Regarding email and HIPPA.

    If you use pop3 or imap with encryption does that qualify. Or do you need additional measures?

    • It is not clear what encryption you are referring to. pop3 and imap are server settings for email accounts, but do not in and of themselves encrypt anything.

  83. I am a private citizen who just received Fax on my home computer of a child’s immunization records. The only identifying. Information the Fax had on it is the child’s name and birthdate.

    Our phone number has no simalarity to the intended Fax recipient’s phone number! So this is in no way a typographical error.

    The Fax was generated by a major Children’s Hospital system.

    My concern is that perhaps their system have been hacked or there is gross negligence in their Medical Records department.

    I’m seriously concerned about the HIPPA violation and the possible that to the security of other patients’ records.

    What course of action would you advise if this Hospital System were your client? Who would I contact in that organization to make them aware of the breach?

    • You should contact the Privacy Officer of the Children’s Hospital to report the receipt of a fax with the records you mention. Unfortunately, misdirected faxes are among the most frequent causes of unauthorized disclosures of protected health information among hospitals and physician offices.

  84. Is it a HIPPA violation to send an email using a patients account# or claim#?

    • If you are using the account number or claim number as the identifier in the email, and the email includes PHI, this is probably not a HIPAA violation since these are not identifiers that would be publicly available.

  85. I work for a school district reconciling the insurance bills. Is it a violation to send the member’s name, SSN and monthly premium amount through internal email? What if the information is in a spreadsheet and I send it to myself at home to work on after hours?

    • Things like name, SSN and premium amount may not represent protected health information, but they are information that can be used for identity theft, and as such, be subject to state laws about unauthorized disclosure or the federal Red Flag rule. It is advisable to only send such information via an encrypted email application. If you encrypt a spreadsheet file with encryption software, you can email it, but of course you have to know how to decrypt it at its destination. It is also not a good idea to leave unencrypted files with PHI or identfying information on home computers since they get stolen, too!

  86. I am a therapist and I am currently getting a divorce. My husband hacked into my email account post-separetion, and got ahold of one of my clients emails correspondences with me. He has submitted these emails into “evidence” during our divorce trial because he is trying to argue I should have charged this client more money because I saw this client pro-bono for a short period of time. (aka I could have brought more money into the marriage). Anyways, I am trying to explain to my lawyer that this is a HUGE HIPPA violation because my husband is sharing privileged communication between client and therapist. Also, the law says any information obtained illegally is inadmissible. My lawyer is saying even though I did not allow my husband access to my emails, and he hacked into my email account without my knowledge that it’s still “implied consent” because my husband and I shared a residence/access to the computer. HOW CAN THIS BE???? Can anyone who has legal knowledge point me in the direction of legal information/laws that clearly state how ILLEGAL it is for confidential client information to be shared without the client’s permission? Please help. This breech in confidentiality could ruin my entire career.

    • Here is a to a pretty good explanation of the penalties for violating HIPAA. As it notes, there are both civil and criminal penalties. We can speculate on how this might be handled, but this is not legal advice.

      Your issue is whether you might be found responsible for the unauthorized access and disclosure by your husband. HIPAA applies to covered entities (that’s you), but not people like your husband. You need to be certain you had protections in place to prevent someone with access to your computer from getting into your email account without actually hacking it, e.g., having a separate password for the account that someone like a close relative could not easily guess. Of course, you should be using an encrypted email application for email correspondence with patients that may cover protected health information PHI.

      This is not going to be an easy situation to resolve. Your lawyer may also ask that the emails with PHI be returned, even if you have to furnish redacted versions that do not identify the patient. You may also be facing notifying your patients of this breach. You may be best served by getting legal advice from an attorney familiar with HIPAA and unauthorized disclosures.

  87. I’m currently at a general hospital rotation and the question came up whether it’s a HIPAA violation when a company (say a hospital or pharmacy chain) sends out an email “hotline” about a drug seeker. The original question asked was “if Hotlines that pharmacies send out are HIPAA compliant, since they are not technically our patient. Can we be receiving info about patients that are having issues at other pharmacies?”

    • It is up to the organization disclosing information about patients to make sure they are reporting patients who appear to be “drug Seekers”. There are hotlines both nationally and in specific states for reporting by physicians, pharmacists, etc. Here is a link to a document from Medicare on the topic.

  88. If a client sends an email of their mental health issues to one therapist but sends cc to other third parties and one of the third parties answers with the suggestion of possibly closing care due to the clients exposing their medical care issues. Is that a HIPPA violation on the person that is third party for closing the door on their care even though the client shared all the information with all the parties.

    • First of all, HIPPA does not address any issues related to continuing or discontinuing care after a disclosure of PHI of any sort. Second, it would seem to be unlikely that the OCR would sustain a complaint of a breach if parties to whom an email by the patient containing the patient’s medical information, started commenting on it. Information disclosed by a patient does not meet the definition of PHI.

  89. John,

    We recently had an employed physician leave our practice. He formed another corporation and is opening his own practice. Subsequently he sent out a pan email to some of his patients (1000-1200) and some of our patients (150) unblinded. The email identified them as active patients in the original practice with his notice of new business and a pdf file on how to request records from our practice. We became aware of this through several of our patients’ notification and frustration over his email with their personal information being present and being identified as patients to a large group of other people. Is this a breach on his part?

    Further, it appears he obtained the patient list and emails from a prior vendor we had used to develop a website. The relationship was between us and the Website/marketing company. Is this a breech to have obtained the contact information through a vendor who he did not have a relationship?

    Thanks!

    Kim

    • An initial qualifier: we are not attorneys and cannot give legal advice. My comments below represent our understanding of the HIPAA regulations; you may need to consult an attorney if/when complaints are made to the Office of Civil Rights of HHS (see your Notice of Privacy Practices).

      We advise people to approach email conservatively, arguing that even the disclosure of a person being a patient at a certain type of physician specialty practice could be considered PHI. Your account of complaints from some patients validates that concern.

      From your description, it sounds like both the website/marketing company and your former employed physician may have made unauthorized disclosures of PHI, or at least confidential information like email addresses (which are considered confidential in some states). Hopefully you have a business associate agreement (BAA) with your website/marketing company that calls upon them to take action (at your direction) to report a breach. Even in the absence of a written BAA, the website/marketing company is your business associate, and they are required to comply with the breach notification provisions of HIPAA, at your direction. You may also have a contractual dispute with the website/marketing company if they disclosed information to your previously employed physician without your permission, or without the employed physician being a person in your organization with whom they were authorized to communicate.

      The magnitude of the disclosure here is also important since it exceeds the threshold of 500 persons where notification to media is required, as well as individual notification. You should conduct a risk assessment and consider the four factors:
      1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
      2. The unauthorized person who used the protected health information or to whom the disclosure was made;
      3. Whether the protected health information was actually acquired or viewed; and
      4. The extent to which the risk to the protected health information has been mitigated.

      One problem with this situation is that you have no control over further distribution of the information since it went via email to so many people.

      You cannot enforce HIPAA; most HIPAA complaints have to be filed with the Office of Civil Rights, which investigates and enforces the regulations. You may consider reporting an unauthorized disclosure to the OCR, but keep in mind if/when they get around to investigating it, they will also look at how your organization has protected PHI, if you have business associate agreements, etc., etc. You should consult with your cyber insurance carrier to understand your coverage for these types of situations. You may also have damages caused by your former employed physician.

      We are sorry you are dealing with such a situation. It is an object lesson on protecting PHI, even when you think everyone you are dealing with is trustworthy. Think about getting legal advice as you go forward.

  90. Good morning Jim,
    Thank you for such a fantastic site – very useful information. I have a question for you please… a company I know provides patient specific guides for joint implants in a PDF to surgeons. What would you say is the most appropriate way to give these PDFs to surgeons avoiding the obvious postman method? Would it be sufficient to password protect the PDF and email the PDF, or is it required/recommended that a HIPAA compliant web-portal be used for this kind of transmission?
    Thanks so much,
    Dominique

    • Encrypting a pdf file with at least 128-bit AES should be sufficient to protect it from unauthorized disclosure, even if the email goes astray. Be sure to send the password in a separate email in case it does go astray!

  91. Hello,
    I found some similar questions, but I wanted to ask about my situation specifically. I work for a social services agency, and using that office 365 account, sent an email to an employee who works for the managing entity who distributes our incidental funds for clients containing an Word attachment that a college wrote on behalf of her client in order to strengthen her case for the requested incidental. The managing entity is covered in the clients consent and release of information. The email did not have any phi, but the attachment stated the clients first name and current housing situation. The managing entity employee sent me a reply that it was a Hipaa violation to send the attachment(stating she was not in the office, so I do not know where she viewed the email) without securing it in a zip file. Is she right? I received the attachment from my supervisor, so I didn’t think it was a violation when I sent it to the managing entity employee.
    Thanks

    • To be a HIPAA violation, there must be PHI that was subject to unauthorized disclosure. If and email was sent with information that is not PHI, there cannot be a HIPAA violation. And if PHI is going to be attached to an email, the file should be encrypted (not just zipped) or the email should be sent using a secure email application.

  92. Thank you Jim, this is great information. I have a question.
    An insurance agency that administers health plans emailed a scanned medical record as a PDF attachment to an employee’s HR department unencrypted. Would this be considered a HIPAA breach or violation ?

    • As the blog pointed out, the Privacy Rule requires covered entities and business associates to apply reasonable safeguards when utilizing email to communicate PHI. These days, not encrypting a file containing PHI, especially a portion of a medical record, may be viewed by the Office of Civil Rights as a violation – not reasonably protecting the PHI. I don’t think most organizations would report this as a HIPAA breach under the theory that, absent any evidence to the contrary, there is no evidence that the PHI was disclosed in an unauthorized way so the risk of unauthorized disclosure is low. Of course, how the OCR would view this practice if were utilized routinely and there was evidence of an unauthorized disclosure, could be very different. At best, it is sloppy, at worst it could become a reportable violation.

      The HR Department receiving the email should warn their business associate insurance agency against sending such emails unencyrpted.

  93. Everyone is focused on the Email containing PHI what about all of the pieces of mail that are sent out going through dozens of people that COULD intercept PHI. How many times have you seen on a news story about a postal worker dumping bins of mail into a dumpster or how many times have you gotten mail that is not addressed to you or been told that was mailed out days or weeks ago but never shows up. How is this system any more secure than electronic delivery? Also with electronic there is much more tractability of a document than in the hands of a bunch of strangers at the USPS

    • Of course, “snail mail” has its weaknesses. A couple of difference:
      1) When people get misdirected mail, they often do not open it, but instead forward to the correct addressee.
      2) Information in the US mail is not easy to disseminate widely the way information received digitialy can be. It’s not impossible, but it is harder.
      3) For better or worse, use of the US mail or even faxing information considered more secure than email.

  94. Hi! We are a Nurse Registry with signed BAA of all of the nurses who see patients for a pharmacy.The Pharmacy obtains HIPPA consent signatures from patients. On occasion, we need to email updated document with phi to the nurse assigned to a case (we also have signed BAA). Most times the nurse is not on the same server as us. In updating our HIPPA policies, we recognize the need to do more.

    Would obtaining consent from the patient directly for our purposes and encrypting any pdf. documents be enough to safeguard ourselves against a HIPPA violation since some of those emails go to a personal email account? Or do I also need to consider the use of a secured email service?

    • We would strongly advise you to utilize a secure email application to send PHI to your nurses, or at least encrypt any pdf documents containing PHI that you email to them. While we recommend any healthcare organization that wants to communicate with its patients via email get consent to utilize that method of communication, you would be asking for consent to use email to communicate internally among you and your staff. Your patients may be comfortable when they initiate or receive email from you, but they may wonder about the information being exchanged when they are not in the loop. Even with a consent, people may decide they didn’t really understand what you were sending, especially if the email led to an unauthorized disclosure of their information. And what do you do if a patient does not give consent? It could be very challenging to vary your communication via email based on patient preference.

      There are free encryption programs that you and your nurses can download and utilize. You can make up a simple password for encryption and decryption of documents with each nurse. This gives you a strong basis for saying you were protecting the privacy of the PHI you are handling up to the requirements of HIPAA.

  95. Good Morning,

    I am currently on medical leave from work. We have a HR outsourcing company, as well as an employee who handles a few things in office, who happens to be my sister. I sent an e-mail to the outsourcing office explaining I would like to deal with them only as i dont want my sister knowing all my business and because I see it as a conflict of interest. The outsourcing HR sent the e-mail to my sister; is this a violation of my rights?

    • Well, there is no specific law or regulation that we know of that forbids the outsourcing company from forwarding your email to your sister. It does make you wonder who thought it was a good idea to forward your email to the exact person you did not want informed about your affairs. We recommend you contact the outsourcing company – by phone – and confirm that they understand your request and can incorporate it into their process for making your information available to other parties when it is needed and authorized.

  96. Good Morning,

    Our doctor’s office works with a medical billing company that sometimes use a password encrypted email to send PHI. The content of the email automatically deletes after a short period of time. Unfortunately our office does not have the same encrypted email software so these emails cannot be maintained on our server. I read HIPAA frowns on emailing PHI between a doctor’s office and billing company if both parties are unable to maintain the email on their respective servers. Is this accurate?

    • HIPAA (or the Office of Civil Rights of HHS, which investigates unauthorized disclosures) doesn’t do a lot of frowning, which implies nuance in interpreting the Privacy Rule. The main concern is to get covered entities and business associates to protect the privacy of PHI, whether it is maintained on paper records or digital records. The OCR takes the position that use of non-secure email may result in unauthorized disclosure of PHI, so covered entities and business associates should take that into account when transmitting PHI. For instance if PHI sent via non-secure email is somehow intercepted and disclosed to unauthorized parties, OCR would consider it a breach, and may take the position that the fine or penalty should reflect the organization’s lack of protecting PHI against known hazards. However, if PHI in an email is not retrievable from an email application due to settings in the application, then by definition there can be no breach. There is no specific HIPAA requirement to keep electronic copies of emails on one server or another.

Leave a Reply

Excellence since 1989

The Fox Group was founded in 1989 and has provided outstanding healthcare consulting and executive management services to domestic and international clients throughout the United States and Europe.

Languages

EnglishChinese (Simplified)GermanFrenchSpanishDutch

Twitter