Consultants to the Healthcare Industry
Call Us: (909) 931-7600

HIPAA Compliant Email: some proactive strategies

Jim Hook, MPH

HIPAA Compiant EmailPart two of a two part series on HIPAA and Email

In Part I of this post, we reviewed some of the statements that the Office of Civil Rights (OCR), the Privacy Rule enforcers, include in their on-line FAQs relevant to HIPAA and email rules.  And now that we’ve got a better understanding of those rules,  let’s explore how medical practices and other providers can ensure they’re using HIPAA compliant email.  After all, knowing the rules is one thing … but putting them into practice is what’s going to keep you and your healthcare organization out of trouble.


5 strategies for achieving HIPAA compliant email

Like so many other things with HIPAA compliance, there’s not one, singular answer that addresses the question of what constitutes HIPAA compliant email.  However, the options addressed below represent a collection of first-line strategies that go a long way toward addressing HIPAA email regulations.

  1. Be the expert on the topic of HIPAA compliant email on behalf of your patients.   This means making sure you have appropriate notices visible, both on-line and in the real world, warning patients about the potential security risks of transmitting protected health information (PHI) using email over the non-secure portion of the Internet.  For instance, many practices include a page for submitting questions to the office via email.  Consider posting a statement that warns about security prominently on that page, such as:
  • “Please keep in mind that communications via email over the internet are not secure.  Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.
  • Please do not include personal identifying information such as your birth date, or personal medical information in any emails you send to us.  No one can diagnose your condition from email or other written communications, and communication via our website cannot replace the relationship you have with a physician or another healthcare practitioner.” 
  1. Document the patient’s consent to receive communication by email.  Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails.  Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas.  If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.
  1. Use an EHR system with a patient portal function.  If you’re using an EHR system with a patient portal function, encourage patients to use the portal’s capabilities for secure communications.  Most portals utilize secure channels for the information available via the portal, but make sure the vendor certifies that to you – and then test it yourself prior to encouraging patients to use it.
  1. Consider signing up for a secure, HIPAA compliant email application.  If you must use email to communicate with patients,  a secure email application will protect your communications by using secure channels to send those emails.
  1. Manually encrypt transmitted files.  If you don’t have a patient portal and don’t want to use a secure, HIPAA compliant email application, avoid including PHI in the text of email, and encrypt any files containing PHI that you are sending to patients.


Use HIPAA compliant email practices … sleep well at night

It is not far-fetched to think that one of these days, the OCR, while investigating a complaint from a patient about a privacy violation, determines that a provider was disclosing PHI when HIPAA Compliant Email for Secure Patient Communicationcommunicating via email with a patient.  And that every such email constituted an unauthorized disclosure – a breach.  And that every such email to any patient was a breach.  It might not take long to get to a breach involving more than 500 patients, with all the attendant notices to the media and reports to the Secretary of HHS that would entail.

Don’t be the practice or provider that finds itself in that unenviable position, simply because you didn’t pay enough attention to establishing HIPAA compliant email with your patients!

Email will be around for a while, in healthcare and so many other areas of our lives.  It’s a great tool, but like any tool, must be respected for its power – both for communications we want and for the potential to disclose information we want kept private.

Using email in healthcare requires more effort and safeguards than in other areas, but it certainly is possible to mix the two.

85 Comments to “HIPAA Compliant Email: some proactive strategies”

  1. HI – I want to start communicating with patients about appointments on email. Is using an online email such as yahoo or gmail considered HIPPA safe if all the necessary precautions and disclosures as you stated above are met? If so, is yahoo or gmail considered more secure than the other?

    • Communicating with patients about appointments can mean many things. Sending a notice about an upcoming appointment (a one-way communication) can be easy to accomplish, and any online system can be used – but you must have the patient’s consent (in writing, if at all possible!) to received such email notifications. If the patient does not consent, don’t use email notifications involving non-secure email systems. In any case, keep the the information to a minimum, e.g., just the date and time of the appointment, and name and location of the provider, when there are multiple office sites, etc.

      Two way communications are more problematic, with more potential for additional PHI to be discussed. Even with a signed consent, patients may decide after the fact that additional information that can come up in two-way communication, e.g., reason for the visit, signs and symptoms, etc., are more information than the patient wanted to disclose – especially if there is a breach of the email itself. You may be able to document the patient’s agreement to such disclosures, but the time and trouble of responding to an Office of Civil Rights inquiry or investigation can be burdensome enough.

      All email systems such as Yahoo or Gmail are equally insecure, and should not be considered “HIPAA Compliant”. Only systems that enrypt email to the proper level can be considered HIPAA Compliant. There are several options that are easy to find searching the web. They are not free, but they are cheaper than dealing with a breach!

    • Marie,

      Gmail and Yahoo are not HIPPA compliant. Even Microsoft exchange is not there yet. I recently saw a medical practice that had the office Yahoo account attacked. All the email was deleted. All the contacts were mailed a “Nigerian Money Letter” using the Dr.’s credentials and name.

      Mark H.
      Microsoft Certified Professional
      Novell Certified Administrator

  2. Does anyone have any experience with email applications/servers that offer these services, such as MDofficemail?

    I am a solo practitioner in a rural setting and do not use this much, but I do use it and need to make it secure.

    Thanks for any input.

  3. In reference to initating an email conversation with a patient (the patient provided an email address) is it ok to send a mass email out with a general message to prompt each individual to contact the office. As long as no personal patient information is included. The only information that may be taken away from the email is the actual email address (no patient name, or any other PHI attatched?

    • Kathy, whenever we see the phrase “mass email” in the context of a patient population, we get a little nervous. Has everyone who is on the list of addressees consented to receive email communications from your company? In general, we emphasize getting a documented “informed” consent to the use of email for communications from a healthcare provider.

      As you can see in the text of our blog on the subject:
      “Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails. Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas. If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.”

      While the PHI being disclosed in the type of email you describe is minimal – a person reading it could reasonably assume the person to whom it is addressed is receiving services at your clinic – you never know if this is a surprise to another person with access to the email account, e.g., a spouse who did not know about the services being rendered. And just because the only identifier is an email address, in some states, that is a protected piece of personal information. Asking patients to sign a consent gives them a chance to think about who sees these emails at their end, and protects you from accusations of unauthorized disclosure of PHI.

      To sum up, always have permission to use email to communicate with patients. It is a very important risk management strategy these days!

  4. Is the use of only a name in an unsecured/unencrypted email considered to be PHI if no specific discussion is taking place on medical/health issues? i.e. email discussion with coworkers at a health plan about premium payment or enrollment for a specific individual?

    • Andrew, an email conversation about such limited topics may not run afoul of HIPAA Privacy regulations, if it were intercepted or otherwise disclosed. Just watch out for “message creep”, where more info is disclosed that may run afoul of state laws, if not HIPAA.

  5. I’m VP of Operations of a Reputation Management Tool that helps businesses build online reviews. We’re considering moving into the health industry, and am curious if our process would be in violation of HIPPA. To execute our system, a physician’s office would create a survey in our system and then either add our “Survey Link” to their email marketing/email client or import a patient email list into our system to send the surveys to their patients. Their patients would have the option to complete the short survey, or not, and opt in/out to allow the practice to share the review as desired to social media and their company website. The patient would also be prompted to share their review to vitals, healthgrades, etc.. I assume adding our “Survey Link” to their email system would be the best for compliance, but is their any compliance issues with the patient list being imported into our system? Or, sending the list to their account manager for import/upload?

    • Eric, there are two considerations related to HIPAA regarding your proposed service: the privacy of Personal Health Information (PHI) and the regulations concerning marketing that apply to healthcare providers.

      With respect to the privacy of PHI, we take a conservative approach, specifically that even the minimum information that a person has visited or received services from a health care provider can be considered PHI. And in some states, even an email address is considered identifying information. We therefore strongly recommend the healthcare provider organization obtain written consent from the patient to use or communicate with the patient via email. And it is not enough to give patients an option to opt out of after receiving an email communication from a medical provider. The damage may be done just by means of the first email, e.g., an email from a mental health provider that goes to an email account that other family members can access – and who did not know of visits to the mental health provider. And then there is the issue of sending lists of patients over the internet. Unless the email application in use is encrypted, or the file with patient information is encrypted, it is extremely risky to send files with PHI over the internet.

      The HIPAA Omnibus Final Rule of 2013 also contained some important clarifications and extensions on the use of PHI for marketing purposes. See our blog on the topic at While a healthcare provider sending its patients a survey about the experience the patient had at that provider may be permitted without specific patient consent to use PHI for marketing, a third party Business Associate sending such a survey (presumably being compensated for the service) definitely seems to fit into a category where patient consent to use PHI for marketing purposes is required.

      You may also find that many healthcare providers “know” about HIPAA and the restrictions, etc., but they do not really know about HIPAA and the digital environment that you and your clients will be operating in. We recommend vendors such as your organization become experts in the area, knowing for instance that files with PHI should not be sent unencrypted over the internet; that your clients need a Business Associate Agreement to share PHI with you; that healthcare providers should get written consent to communicating with their patients via email – when the HCP (or a third party acting on its behalf) is initiating the communication; that any Covered Entity or Business Associate creating, using or storing PHI electronically needs a HIPAA Risk Assessment – and showing them documentation of yours!

      There are many instances of breaches of PHI reported, most involving loss or theft of devices such as laptops. There have been a couple of fines levied due to potential breaches (firewalls left down, etc.). The point is, when there is a breach, or a complaint from a patient that their PHI was disclosed without their authorization, and an HHS Office of Civil Rights investigation starts, they never look at just one issue. They do a top to bottom review of policies, procedures and practices related to privacy and security of PHI and ePHI. That’s when missing components of safeguards come to light, and the fines start to add up! There is just no substitute for doing it right the first time!

  6. Most references to HIPAA (and HITECH) seem to be about hospitals, physician practices, medical insurance companies, and other truly medical professions. However, there are types of businesses that use PHI and are still considered covered entities, such as case management and other human services organizations. Employees of such organizations are often working in the community rather than in an office setting, and must frequently communicate with one another, with the clients directly, and with other providers. Email is often used because of its ease (smart phones), its immediacy, and the ability to communicate with more than one person at a time. Even an encrypted email system presents as a challenge because the receiver of the email must go through multiple steps to access the information (which is particularly difficult for those who are not as proficient on the computer). Certainly, encrypting the email is preferable, but if encryption is not used, is it acceptable to use initials of the person, along with a description of the issue (which is generally not a medical problem but a social/familial issue)? Also, what do the rules say about text messaging?

    • Unfortunately, there are no differences in the requirements for safeguarding PHI based on the setting in which you work, or the type of services provided. A breach that occurs because of a case manager or home care nurse who loses a laptop out in the community is no different than a breach that occurs because the lost or stolen laptop was used in a hospital or medical office setting. The Office of Civil Rights of HHS that investigates breaches will view the lack of use of encrypted email to send PHI because of perceived lack of proficiency on a computer as a training issue the organization should have addressed as part of its risk assessment. In other words, the device and the setting do not matter when it comes to safeguarding PHI. Organizations are expected to assess their risks, and take steps to mitigate those risks while still getting their respective jobs done.

      Use of non-encrypted email may be acceptable when the subject does not include PHI – information on the healthcare services a person is receiving, the diagnosis, the provider, etc., etc. Even social/family issues may require some contextual issue that is related to the items above, in order for the recipient to understand the issue. So why take a chance that an employee may disclose information that is PHI while trying to convey other information that is not PHI? And using initials or some other combination of identifiers may cause confusion when you inevitably have a situation where the identifiers (like initials) apply to more than one person.

      Texting is not considered a secure method of transmitting or storing texts containing PHI. Some carriers may store the text messages for a time, meaning they could be read by someone else. And not everyone protects their phone in the event of loss or theft, again leaving PHI potentially unprotected. In any case, it is highly recommended that you undertake a risk assessment to document your strengths and weaknesses – an then take action on the findings!

  7. My company is interested in doing some email marketing with patients. Do you have or do you know where I can get, a patient email release/consent form that complies with HIPAA? Can I use this same email consent form for employer/OCC Med marketing? We are interested in sending non-patient specific health tips of the month…flu season/shot reminders/workplace safety tips– nothing that could be construed as confidential but it will be coming from a medical office so it appears that HIPAA rules will be applicable in using email marketing communications.

    • Margaret, there is no particular “HIPAA compliant” consent form to patient email communication. Here is a line from the Patient Emergency Contact Information Sheet we recommend practices utilize to record patient communication preferences.
      “(Practice Name) may send me email messages such as appointment reminders at the following email address: . (Leave blank if you do not wish to be contacted via email.)”

      There are also new rules regarding marketing to patients that you should review prior to starting any kind of marketing to patients, via email or otherwise. Check out our recent blog on the topic at

  8. A hospital requested that I send them information via email related to procedure billing which includes information protected by HIPAA. Are there safeguard or obligations for covered entities related to inbound emails if they requested them?

    • There are no special rules for covered entities that share PHI using unencrypted email. I will be no defense if you are found to have caused a breach that “the hospital told us to do it”.

  9. Hi,
    I am a HIT student with an assignment to compose an email asking a physician to submit a new dictation for a patient surgery because the original was misplaced. It is my understanding that PHI can be included in an encrypted email. Am I correct in this, or should PHI be excluded even if encryption is used. Thank you for your help.

    • Terry, using an email application which uses at least 128-bit encryption is generally considered to be safeguarding any PHI contained in the email. So provided the encryption algorithm of the application meets that standard, you should be meeting the standard.

  10. I just started working for a nonprofit patient advocacy group as their Development Director. I want to improve their ongoing communication with their various support bases through the use of an email marketing service (i.e. Mail Chimp, Constant Contact, etc.). Some of the individuals in these support bases are patients with a specific genetic condition that the organization provides support services to, others are not.

    As I’m sure you are aware, to use such a service we would need to upload lists containing names and email addresses. This communication would never contain any PHI and would never identify any person as being someone who is receiving support services or is a general interest contact – it would always be general info such as agency accomplishments, updates on scientific research, upcoming events, etc.

    The organization has never done this type of outreach to their support audiences before, so no prior authorization for an email marketing service has been obtained. All emails would have the ability to opt-out by clicking a link within the email.

    What needs to be done on my end so we may include the patients we support/advocate for in our general communication efforts and still remain HIPAA compliant? I’ve read the other blog post you’ve referred to in this thread, but am unsure how a nonprofit advocacy organization fits into this mix.

    • Jennifer, you mention that your organization provides support services to some of the potential addressees of your email campaign, and since, per your website, you are offering genetic testing, you would be considered a health care provider for various HIPAA purposes. With that in mind, I recommend you review our blogs on communications involving marketing and fundraising communications. You definitely need authorization to communicate with patients on these types of topics.

      You might start with an email (at least to addressees who are patients) announcing your plan to begin publishing information (including the type of content) to your support bases via email, and give the addressees the option of continuing to receive such emails, or opting out of receiving them. Then you can send them to recipients who are on record as wanting to receive these communications. This may cut down on the number of people who want to receive these communications, but an opt-out only process does not really establish that you are authorized to send such emails to patients, which is the requirement.

  11. Jim,
    Can a medical office email photos of patients faces and or body part?
    Thank you.

    • You don’t specify the context or reason for sending emails with patient faces or body parts. Patient faces, in the context of an email from a medical provider, would probably be considered PHI since a picture of a face is certainly an identifying characteristic and just the fact someone is being seen in a physician office can be very sensitive in some situations, e.g., the pregnant teenager whose parents don’t know about the situation.

      Body parts may be less sensitive if there is no way to identify who they come from (watch out for tatoos or birthmarks, though), but there should be a good reason to email them using an unecrypted email application.

      I would keep in mind that when healthcare workers have electronically posted or emailed pictures of unusual patients seen in hospitals or emergency departments, they have been fired. And sanctions by the Office of Civil Rights in response to a complaint is not out of the question.

  12. I work for a hospital surgery department. We have a surgery scheduler that will send emails to specific employees and reps about certain procedures. Some of these emails are not through our hospital system, but gmail, hotmail, or aol accounts. If any, what information is okay to send to those people? Would it need to be something as simple as the Date, Surgeon and Procedure?

    • You can probably include a little more information if it were necessary, e.g., a special supply or piece of equipment needed for the procedure, in case it is not obvious from just identifying the procedure. But as soon as you include any identifying information about the patient, you are risking not protecting the patient’s privacy when some of the recipients of the email receive it over a non-secure network. Of course, if you use a secure email application, you can include more detail.

  13. I was reading through your blog on HIPAA and I was wondering if you had any insight on if another company can force you to use their technology to send secure emails. For example, our company has on their mail server a McAfee technology that reads all outgoing mail and determines if it needs to be encrypted. If it does it forces the recipient to have to go to a portal which is secured to be able to view and reply to the message. Another larger company we do business with says they don’t want to use the portal and says we must get an email account with them or we have to send it as normal email but force TLS encryption. We can and do force TLS to their servers but because our internal policy says ALL emails containing PHI must be sent using our secure portal we don’t feel we should have to change our policy just for them when we communicate to smaller providers every day without issue. Do you know if there are any HIPAA rules that state a provider cannot force another provider to use one technology over the other providing both technologies meet HIPAA requirements?

    • HIPAA does not contain any provisions about exchanging PHI from one provider to another, other than it is the responsibility of all providers to safeguard the privacy of patient information. In the situation you describe, it sounds like it comes down to a business decision on the part of your company to whether or not to do business with another organization that will not accept emails containing PHI if you send them via your portal system. Of course if the other organization is someone you must do business with, then you have to consider making an exception in your policy to utilize an alternate method, as long as it safeguards any PHI you are sending in emails over the internet.

  14. I have clients that need information sent to a third party such as an attorney, EAP or other medical/mental health practitioners. How does HIPAA apply to sending letters on progress via email to these people even when there are consents to release information on file and a client has signed a release on the letter itself. What identifiers are OK (full name, initials, DOB, SS#) and which one’s are not for an email attachment without encryption or secure files?

    • Email sent over the internet cannot be considered a secure method of transmitting information in a fashion that protects a patient’s privacy. Unless the patient consents to transmission of letters detailing their progress, we strongly advise against such a practice. And even if patients consent, you should be prepared that if a letter were ever mis-directed and the contents disclosed, the patient may come back and say they didn’t realize that’s what was being sent.

      If you must use email to send these attachments, it is best to use a secure email application, of which there are many available.

  15. Curious about statements/superbills. I am using SimplePractice but need to send patients their statements/superbills with diagnosis & ICD codes. I want to be able to use SimplePractice’s 1-click e-mail button to send these, but their system is not HIPAA compliant. Would I be protected if I had clients sign a form allowing this prior to sending? It’s important to me to make sending these statements/superbills more convenient & streamlined but still want to be safe.

    • I am assuming you mean the email application is not HIPAA compliant.

      It is true that you cannot be assured of the security and privacy of information you send over unecrypted email. One solution is to look for an application that will encrypt your email as it comes out of SimplePractice on its way to the recipient. You should ask the vendor if/how to use a third party email encryption application for sending your statements.

      A second approach is to keep a record of which patients agree to get patient statements via email, and only send such statements to that group. While it is not an absolute “protection”, having informed consent (e.g., they are warned that use of unencrypted email to send their patient statements will take place) could be useful when someone complains to the Office of Civil Rights or even sues you.

      Good luck!

  16. We have several accounts at our practice that have balances on them. In another attempt to communicate with patients in a natural, non-harassing way, we would like to remind them of their balance when they request medical records. Records are requested through our website and a simple, non-identifying confirmation email is sent once the records are processed. Can we include the balance in the email or is that too much information? It would be simpler to send them a detailed statement to proactively answer questions, but if they have not consented to receiving that information via email would it be a HIPPA violation? Should we just inform them that their records have been processed and that there is balance on their account?

    • We advise all providers to get consent from patients to use email to contact them for any reason, whether that is to remind them of appointments, of balances due or records requests fulfilled. HIPAA requires covered entities to safeguard the protected health information they create or maintain. That applies whether it exists in paper or electronic form. Not everyone would consider a simple message from a health care provider to be PHI – but some patients might, especially if even the fact that the patient is visiting a provider is not something they want disclosed via email or phone calls. While it is unlikely that an email from a provider to a patient would be intercepted and somehow disclosed publicly, it is not impossible if the provider is using an unencrypted email application. And you can’t determine if using email to communicate is a HIPAA violation until a patient files a complaint with the Office of Civil Rights and they start an investigation. Then your defense is that you had the patient’s consent or you used an encrypted email application.

      There are just no shortcuts or tiers of information that finally add up to a HIPAA violation. If you want to use email to communicate any of the information you are listing above, get permission to use email (and document that you got it). If a patient says no, then your recourse is to go back to regular mail or a private fax.

  17. If a patient requests electronic format is there anything saying I must comply? Please support with the appropriate location in the Privacy Act/HIPPA

    • Section 164.524(c)(i) and (ii) of the HIPAA regulations cover responses to requests for access and the form of access requested.
      (i) The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.
      (ii) Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.

      So it is pretty clear that you must provide access in an electronic format if it is readily producible in such form and format. If your records are on paper, you do not have to convert it to some electronic format and give it to the patient. If you maintain PHI in an electronic format and you are claiming it is not readily producible in that form, you should document why this is the case and make a hard copy version available.

  18. I keep having conversations regarding the use of a clients full name in the subject line of e-mail. The e-mails are internal and although we have firewall, the possibility of an e-mail being misdirected is always present. I am of the believe that if we use any naming convention it should be either the first name, as many of the health care providers offices do in the waiting room, or just initials. I have been looking into the regulations and may be misreading them but I don’t see specific mention of using names in the subject line. If there is a specific regulation, could you site it. Thank you for any assistance.

    • HIPAA regulations are not specific to the level of what can be in the subject line of an email. Providers have a duty to protect the privacy of PHI. If your email does not leave the server in your organization, it should be ok to use the name.

  19. I work for a company that handles the billing and collections for clients (typically pharmacies and physicians offices). As our office handles multiple clients we are considered off-site and not in the same building as the clients. Therefore, email is the most convenient method for the pharmacy and/or physician’s office to transmit prescriptions, patient reports, patient demographics, etc for the purpose of billings and collections. This information is obviously considered PHI.

    I want to ensure that our offices, as well as our clients’ offices, are being HIPAA compliant. We currently use gmail as our email server. Prior comments and postings above indicated that gmail is not secure. Can emails be encrypted with gmail? If our office is considered HIPAA compliant, but we are receiving materials from clients which are not HIPAA compliant regarding their tranismission of data, could we still be penalized is there were to be a breach?

    • Google addressed the security of gmail in a company blog from 2014 ( Essentially, it says if you and your email correspondents all send emails using Google’s gmail, your emails are encrypted. Google does not say specifically that this solution is HIPAA compliant, but it is reasonable to think that it is. However, email not sent to, or received from, correspondents not using gmail, would need a HIPAA compliance email security application if PHI is being emailed. The originator of an email with PHI has the duty to protect the privacy of the PHI they are transmitting this way. We always encourage providers to be knowledgeable about HIPPA compliance and help their fellow providers avoid the possibility of a breach of PHI. No one wins when there is negative publicity and your name comes up!

  20. Can coworkers communicating via interoffice email enter a patient’s name in the subject line of the email to one another?

    • You don’t mention what the email is about. To the extent it contains PHI, you need to be sure you are not impermissibly disclosing PHI about the patient. Is the interoffice email an internal system not subject to external interception, or do the emails get routed through any external servers? Is there a chance of confusion because of duplicate patient names? (That’s why unique numbers may be preferable.) Do the emails containing PHI go only to people who have a need to receive the PHI in the email? Are you confident such an email will not be circulated outside the organization?

      As you can see, there are no bright lines of do’s or don’ts in HIPAA and email. Instead, people using email containing PHI must think through the issues and make sure they are protecting the privacy of patients, even while using a convenient tool like email.

  21. Hello,

    As an IT person, that occasionally needs to work with our (not medical related) company’s HR data, I recognize that HIPAA exists, and that anything I can see with administrative access should always be considered with utmost confidentiality.

    I do not claim to know very much about HIPAA in general- I just know, do not pass on the slightest bit of information you obtain in your daily job, that can reveal any personal information at all.

    As a computer programmer, that has much interest in email security, knowledge of viruses, trojans, bots, etc., I take my own personal email address very seriously. I realize that there are sophisticated virus payloads these days, that can easily scan an infected client’s email system, and read both the body content of an email, as well as common attachments.

    Tonight I received an email from my Doctor’s office that has me very concerned. Many would pass it off as, oh- look, my doctor is begging me to go in and pay for a flu shot. However, included as an attachment to mass email that was sent, was a Microsoft Excel spreadsheet containing all of the names and email addresses of my doctor’s groups’ clients- over 2,000 in all.

    As I said earlier, I take who I give out one of my email addresses to very seriously- close friends (who I’ve informed how to be safer on the net,) billing companies, vendors I need to communicate with, who are also in IT and know what is safe and what is not. I can’t even begin to explain how violated I feel, that a medical office who should be adhering to HIPAA regulations, would send out something like this. If I’d known they’d do this, I’d have given them one of my “junk mail” email addresses.

    I’m writing this comment, because I’m wondering- are there any HIPAA regulations that specifically forbid this kind of action? Even ignoring my concerns of the email address, aren’t there HIPAA rules governing a medical group divulging, for no good reason, the names of all of their clients? I sometimes feel that medical professionals think they’re “above us common people”, and really don’t think through what they’re doing. I can’t even imagine their thought process when sending this information on, although, I can imagine that perhaps they have some incompetent 3rd party vendor that handles these types of things, received the list, and just generated a mass-mailing based off of the spreadsheet without removing it. Whether it was the medical group themselves that botched this up, or they choose some cheap 3rd party that isn’t knowledge in personal privacy, this is an extremely dubious mishap. I’m not looking to sue these people, but honestly, I think giving some people a bit of a scare sometimes is what’s necessary for them to wake up to be more cognizant of protecting people’s privacy.

    Thanks for any information you can give me on this.

    • The HIPAA regulations are not that prescriptive. They require covered entities, like physicians, to protect the privacy of personal health information. The situation you describe is certainly in a grey area; some people on the list you received may consider just the fact that they are a patient at that office to be more information than they want in circulation. And some states have laws against disclosing the email addresses of persons you are doing business with. So while this was an egregious error, it is debatable if it is a HIPAA breach.

      Your physician’s office should be able to give you a copy of their Notice of Privacy Practices. It should contain the name of the Privacy Officer of the organization, who is the person you can address your concerns to – in writing, of course. It should also have information on who you can send a complaint to at the Office of Civil Rights, which investigates HIPAA breaches.

  22. I would like to send a handwritten thank you note to a referring doctor. The patient said it was OK and produced a snail mail address. How do HIPPA rules apply to this sort of communication?

    • It is very common to send communications from one provider to another, either just thanking them for the referral, or adding a brief description of what you did or recommended for the patient. These would fit within the portion of HIPAA allowing for communications for the purpose of healthcare operations.

  23. As far as HIPAA is concerned, is it permissible to use client/patient initials or just the first name in emails?

    • The use of email to send or exchange PHI is not covered by any specific Privacy regulations. The purpose of the HIPAA Privacy regulations is to require covered entities and business associates to protect the privacy of personal health information from unauthorized disclosure. This requires people to think through what they are doing in their own context. Because of the overall privacy protection requirement, the Office of Civil Rights, which investigates breaches or unauthorized disclosures, has been taking the position that using technologies or techniques that may expose PHI is a violation – even if there is no evidence the information was found or received by parties not authorized to receive it. Using unencrypted email to send or exchange PHI, without the patient’s consent, would likely be considered a breach, even if there were no evidence the email had been intercepted and shared in some fashion.

      All that said, if use of email is important to the sharing of patient PHI in your organization, the best advice is to use an encrypted email solution, of which there many. The problem with using initials or first names to identify patients is that it has the potential to cause confusion about who the subject of the email actually is. If information in the email is used to make treatment decisions such as prescribing medication, people maybe harmed – both the person who was erroneously prescribed a medication, and the person who should have received it, but didn’t.

      A long time ago, a malpractice attorney told a group of physicians: if you want to know how a jury will react to what you did, or failed to do, for a patient, describe the facts to your next door neighbor and see what they say. If they think you were wrong or negligent, that’s probably how a jury will react. Try describing how, to make it convenient, you sent information via unencrypted email using minimal identifying information, and there was a mix-up in a patient’s care. Your argument for convenience would sound pretty lame when someone was harmed – and you had other options that could have avoided the mix-up – or avoided an unauthorized disclosure of PHI.

  24. I received an email with our Adult Day Center clients name. The email was not HIPAA compliant what steps do I need to do to correct the situation.

    I printed the email then was shredded, then the email was deleted. What else do I need to do?

    Thank you

    • You don’t mention if the content of the email included PHI, or if it included content that you need for record-keeping purposes in your organization, or if it was sent by the patient or someone else. You may want to contact the sender and ask them not to send PHI to you via email unless they have consent from the patient to use that method of transmission. Otherwise you may have done as much as you can at this point.

  25. Thank you for this opportunity to ask a question. My concern surrounds a 501c(3) receiving PHI through email for enrollment purposes for medical expenditure assistance. Were the enrollee to submit the PHI for an application in an email to the 501c(3), does this expose the 501c(3) to HIPAA constraints? Once received, it would be in a secure environment and no further transmission (back and forth with the patient, for example) would be required. Additionally, a patient will oftentimes ask in a telephone conversation if this is acceptable and most times dissuaded from doing so and requested to use a fax. Were they to be informed of the vulnerability of using email, that warning noted in the CRM used and the patient still decides to continue, would that still present exposure under the HIPAA / OCR requirements? Many thanks.

    • It is not clear if your organization is a covered entity, or not. Covered entities include organizations like health plans, insurance companies, health care providers and healthcare clearinghouses. Your organization could be a business associate (or a sub-contractor business associate) of a covered entity, depending on who is providing the medical expenditure assistance. Status as a 501c(3) is not pertinent to this decision.

      That said, unless your organization can be determined to not have to comply with the HIPAA Privacy Rule or the HIPAA Security Rule (which applies to organizations maintaining PHI in an electronic environment), you should continue to discourage people from sending their applications containing PHI via non-secure email. Certainly documenting the warning in your CRM is worthwhile as a part of proving you were taking reasonable steps to protect the privacy of PHI.

      If you are determined to be covered by the HIPAA Security Rule, you should perform (or hire someone to perform) a risk assessment of your electronic systems maintaining PHI. You can get information about the HIPAA Security Rule and assessments on our website or at

  26. I have a question similar to one you answered earlier regarding images sent via email between my cell phone and hospital computer. The images (videos) do not include patient faces and I edit out any tattoos that are visible. Images are of specific joints that we are working on in therapy. The image is transmitted via my personal email account to the work computer to be included in a patient note following a treatment session. Once received on the work computer the image(s) are deleted from the cellphone. I will be giving a workshop on photography in the clinic in March and I would like to make sure I provide the correct information to attendees. Thanks for your comments.

    • There are a few issues here to consider:
      1) Have the patients given permission to be photographed? That is a necessary step prior to taking photographs or videos of patients. The hospital consent may cover photography, but even if it does, it would be prudent to explain why you are taking a video and what will be done with it. If consent for photography is not part of the hospital consent for treatment, you should definitely ask for the patient’s permission, and document their consent in the therapy note you complete when taking the video.
      2) While it sounds like you may be de-identifying the images to the point where they could not be associated with any individual, make sure you do not lose track of whose image goes into what medical record when you include them in a patient note.
      3) Since this is a personal cell phone, you might look for an app that allows you to encrypt the pictures while they are stored on your phone. If you were to lose the phone, it is much stronger to say the picture files were encrypted vs. just that the images are de-identified. By the way, does the hospital know you are using a personal cell phone for this purpose? They may want to issue you a phone (that is encrypted, etc.) for this purpose if it is a necessary part of your documentation.

      Good luck!

  27. (Apologies – first post was misleading)

    I have a question that a few colleagues and I have been discussing regarding the “setup” of an account via a patient portal (for example).

    One group believe that HIPAA permits a medical system to send an email that contains ALL the login credentials to access ePHI via some sort of portal.

    The other group believes it’s a HIPAA requirement to split the username login details into one email; and then send the password (and potentially the URL of the portal) to that account via a 2nd email.

    I’ve tried looking for online resources that corroborate one view or another, but just can’t find it. Any thoughts?

    • You will not find anything so detailed in the HIPAA regulations, so like many issues related to HIPAA, you have to reason out the answer. HIPAA requires covered entities to protect the privacy of information. Sending all the login credentials for patient portal access via non-secure email could result in the email being intercepted and the credentials used for an unauthorized access and disclosure of the patient’s PHI. A more secure way to transmit the credentials, if non-secure email is the only option available, is to send the login in one email and the password in another. While the likelihood of the email being intercepted and the portal access being compromised is low (perhaps vanishingly so), you do introduce a higher level of protection by sending two emails. If such an interception happened, you would be more likely to be found to have taken a reasonable precaution against unauthorized disclosure if the OCR ever gets a complaint and starts an investigation.

      Good luck!

  28. Hi Jim-
    If we are sending emails with in our office, what are the key components that that deem it necessary to use secured email application. For example: Would the name J. Smith (made up) alone require this, or would it be the full name with more information.
    Thank you for your help

    • PHI is any information in a designated record set, including things like diagnosis and treatment, and which is associated with one or more of 18 identifiers, including the patient name. So, you should define a designated record set for your office, which includes the things you routinely disclose in the course of your activities (treatment, billing, referrals, etc.). Then you should avoid putting those things, with an identifier for the patient, in email that goes outside your office during transmission or reception – unless you use an encrypted email application.

  29. How should a doctor respond to a new patient if they contacted the doctor via email about general office procedures such as what to expect during a visit, how long is a visit, how early to arrive to do paperwork, etc, and the doctor does not have an encrypted email to respond. Is it considered a HIPAA violation to answer similar questions through a non encrypted email? Will notifying the patient that the email is not secure/encrypted be the first step to take when responding to the patient and then answering their questions?

    • First, you should clarify if the patient has already been to the office for services. A person is not a “new” or any other kind of patient until the prospective patient and the physician establish a physician/patient relationship. That can happen during the first visit to the office or when the physician initially sees the patient in the hospital. For someone who is not yet a patient, you can certainly explain office procedures as you mention in your question. We always recommend you establish acceptable methods of communication with patients during their first visit, including things like messages on answering machines and use of email. We recommend physicians tell patients unencrypted email is not secure; they should think carefully about sending emails with PHI to the physician, and that the physician will not send emails (or texts!) containing PHI without the patient’s consent to utilize that method of communication. You cannot prevent a patient from sending PHI in an email, but you can control how you respond!

  30. I am a patient who has requested that my bills be sent via email as an attachment as I am having troubles faxing my paper bills and getting confirmation that my insurance company has received them. My insurance carrier mentions they have an email service which automatically informs customers that they have been received and processed. However, my councilor is not sure whether this information can be sent to me without it being encrypted. He mentions he does not have a way to encrypt. I am willing to take the risk as the alternative is to send it via fax without any confirmation that it has been received. My question is: is it sufficient that I give him permission to do this or is he still liable in some way?

    • We advise providers to document a patient’s informed consent to send unencrypted emails with PHI to the patient or anyone else. While that should be sufficient in case the information in the email was ever disclosed to or by an unauthorized party, no one can be absolutely sure what the Office of Civil Rights would do if it got a complaint about use of unecrypted email even where the patient had consented to its use. Of course, most of the complaints about such a situation would probably come from the patient, and it would be pretty inconsistent of you to complain that your councilor did not protect the privacy of your protected health information by sending it via email when that is what you requested. It seems the risk the provider is pretty small in the circumstances you describe, as long as he or she gets your consent.

      By the way, informed consent means that you are aware of the risks of using unencrypted email, such as that it cannot be considered private, and is subject to interception and further disclosure by an unauthorized party (even if this is highly unlikely).

  31. If I am emailing back and forth with a business associate, can we include the patient’s first name and last initial and reference dates of service and be considered HIPAA compliant. I am asking my business associate to use a secure system and she is arguing that she is not being non-compliant in regular gmail only using first name and last initial.
    Please advise.

    • The problem with using initials or one initial and last name is that you may eventually find a duplicate patient who also had the same date of service. Of course, a secure email application is the best alternative, and you can initiate an email using a secure email application, and the business associate can respond securely, too. While emails going from one gmail address to another are going via a secure channel, at least right now, according to Google, you are relying on the integrity of that system never being compromised. If there is a failure, it won’t be Google that is held accountable!

  32. Good evening, is apple email Hipaa compliant for appointment s with patient written , signed agreement in registration forms?

    • We cannot speak to the security of Apple email specifically, so you will have to contact Apple regarding that question. You don’t specify what a patient agrees to on the registration form, but it should be clear that the patient agrees to accept email correspondence with appointment information in it. And keep the information that is transmitted that way to a minimum, as authorized by the patient.

  33. We would like to continue to send thank you referral letters to patients that have referred new patients. Can we do this using the patients first name and last name Initial?

    • If we are taking a very conservative approach, you want to be very careful disclosing the fact that someone has or may become your patient. While a great many people might not think going to the dentist is a very confidential matter, you just never know. If you make contact with the prospective patient, you could ask for their permission to send a letter to the person whom they referred, mentioning the prospective person’s name. If they agree, then you are fine. If not, then don’t mention the prospective patient’s name, just thank them for the referral.

  34. What if a covered entity emails a reminder to a patient (with the patient’s written consent). The reminder asks questions about allergies or changes in the patient medical conditions. The patient’s response would include phi. Would the covered entity have to send the outgoing email securely?

    • If the covered entity has received informed consent to send and receive PHI via “regular” (unsecured) email, then encryption or use of a secure email is not necessary. Informed consent would include warning patients that use of regular email does not guarantee confidentiality, and offering other methods of communication (e.g., secure email or a patient portal as part of an EHR system, or even snail mail).

  35. I received a “mass” email from my doctor’s office in which the sender did not bcc the recipient’s email addresses. 270 patients email addresses were disclosed just in the email I received. That was just the first batch of the alphabet. Which in essence is 270 user names disclosed that patients use to log in to the patient portal. As well as my privacy has been violated along with the other 269 people. Not to mention there were email addresses that are recognizable since they are actual names of patients used in their email addresses. I was and still am livid. What are your thoughts?

    • I recommend you contact the doctor’s office and protest the use of the mass email technique to the Privacy Officer of the practice. You don’t say what the content of the email was, but, as you note, just the disclosure to others that you are a patient of this office feels like a violation of your privacy. If you are not satisfied with the response you get from the doctor’s office, ask them for the contact information for the Office of Civil Rights (OCR) of the department of Health and Human Services. It should be in the Notice of Privacy Practices they give you. The OCR is the government agency that enforces the HIPAA laws and regulation.

  36. My ex boss is a radiologist and we email reports to the imaging centers and/or dr.’s via gmail. From what I’ve read, doesn’t seem like that is an acceptable hipaa practice?

    • If both the sender and the recipient are both using gmail addresses, Google claims the transmission goes via an encrypted channel. If some of the recipients have non-gmail addresses, then you should not send reports (which would be considered PHI) to those addresses unless you encrypt the report or use a secure email application.

  37. My company supports Dr’s offices which often requires that we send/receive emails containing phi. Recently we changed over to MS Office 365 Enterprise license so we can send hipaa secured emails. We add the word “Secure” in the subject line which then requires the receiver to login to read the email. We’ve noticed this has created very negative responses from our clients. They think it’s a giant pain in the neck to have to login to read every single email (which I agree). We’re at the point that we can no longer get many people to answer our requests for phi. Even worse, we believe some Dr’s may fire us and hire another company because of this. I am searching for an easier way that still ensures we are in compliance. If you have any advice, I’m all ears. Thanks

    • Secure emails are a pain in the neck until you have an unauthorized disclosure of phi via an email that should have been sent via a secure application. That said, maybe there are ways you can request phi without identifying the patient by name in your request email, and then giving the doctor offices a way to furnish it via a secure method. These could include setting up an FTP site where files can be uploaded, or encrypting files with free encryption software that you and the doctor’s offices can both download and use. There are also services like Box and Dropbox that utilize encrypted channels, but we recommend any files with phi be encrypted before they are put in Dropbox for sharing or retrieval.

      Keep fighting the good fight. The hassle factor of securing information pales in comparison to the hassle of dealing with unauthorized disclosures.

  38. I recently had a doctor send me medical records to my email. The attachments were easy to open, just a click no password required. I found out his site is through and his mail through Does this sound hippa compliant?

    • Normally, we advise providers to send medical records containing PHI utilizing a secure email application, or encrypting the attachment containing the medical records – unless they have specific consent from the patient to send phi via email. You don’t mention if you asked the doctor to send your information via a secure email application or to encrypt the materials prior to emailing, so the doctor may have assumed it was not necessary to utilize one of those methods to protect the contents to a higher level.

      Google maintains email messages sent from one google email account to another are encrypted, but if you asked for your information to be sent from a gmail account (your doctor) to a yahoo account (you), then that protection likely would not apply.

      You could ask for the name of the Privacy Officer at the practice and express your concerns about the lack of encryption or use of a secure email application to send your medical records, but at this point it would be unlikely that the doctor would face any sanctions for not protecting the privacy of your PHI since you requested the use of email to get them to you.

  39. I work for a health insurance agency. as we process paper enrollments we email the agent to let them know that the application as been processed. What information can we give in the email to remain HIPAA compliant? The agents are asking for carrier, client’s name and effective date of the policy. I feel like this much information would be a violation.

    • The information you describe seems pretty limited, and does not contain protected health information. A name is really not enough to establish someone’s identity. Maybe the agents can get by with just the name and effective date.

  40. I consented to have my doctor send my invoices to me via email(verbally, I didn’t sign anything). These invoices are PDF files that contain my name, address, and procedure codes. I did not realize that his office assistant would do so using her personal AOL account–but this is what’s occurring.

    I have advised him that this is a terrible practice. If his assistant quits tomorrow, she has all his patients’ data, including invoices, claim forms, etc. She could get hacked, phished, and so on.

    He won’t takes me seriously. Theirs is a very small practice, and he’s an older guy. Am I right to be concerned?

    • Yes, you are right to be concerned. Both of the potential issues you cite are very possible. Given how this works in your doctor’s office, you should rescind your consent to receive invoices this way, in writing, and ask the office assistant to delete any emails she has sent you previously. The physician is definitely at risk, and could easily be judged by the Office of Civil Rights to not be protecting PHI adequately, even if there were no evidence of an actual breach.

Leave a Reply

Excellence since 1989

The Fox Group was founded in 1989 and has provided outstanding healthcare consulting and executive management services to domestic and international clients throughout the United States and Europe.


EnglishChinese (Simplified)GermanFrenchSpanishDutch