HIPAA and Email: there are rules

hipaa-and-email-keyboard pic

Part one of a two-part series on HIPAA and email.

Email has been widely used by both businesses and the general public for much of the last thirty years, and reliance on it has found its way into the daily lives of millions. In fact, email has been around so long that its use has become passe for some people. This may be due to a quest for newer methods of communication or because email has become as odious as unwanted mail from the post office. In any case, it’s not going away anytime soon, especially for communications between individuals and health care providers. Many providers use email to communicate with patients where protected health information (PHI) may be exchanged. These folks should consider the HIPAA compliance requirements to protect PHI from unauthorized disclosure.

Is Unsecured email HIPAA Compliant?

It bears repeating that the Internet, and things like an email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. What is increasingly common is that a patient’s email address has been entered into a record with errors. So, the email doesn’t get to the patient but does go to someone else who actually has the incorrect email address. This means the first rule of avoiding unauthorized disclosure of PHI is to get the email address right!

Need to speak with a HIPAA expert?

HIPAA and email can coexist … it’s a matter of understanding the rules

What do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email? Many people are looking for specifics on HIPAA-compliant emails. HIPAA compliant email is discussed in the HIPAA FAQ pages. But like much of HIPAA, people in covered entities start with the premise they are to protect PHI. But they should be using reason to think about how they are protecting PHI.

Under many HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page. Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email? The OCR says:

“Patients may initiate communications with a provider using email. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue email communications.”

Must providers consent to the use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via email rather than on a postcard, if email is a reasonable alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an open electronic network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions,
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI),
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks. For instance, sending medical records via email should only be done using a secure HIPAA compliant email application. Or if the patient acknowledges you are going to send medical records using unsecured email.

So how should healthcare providers ensure they’re using HIPAA compliant email?

In Part I of this post, we reviewed some of the statements that the Office of Civil Rights (OCR), the Privacy Rule enforcers, include in their online FAQs relevant to HIPAA and email rules.  And now that we’ve got a better understanding of those rules, let’s explore how medical practices and other providers can ensure they’re using HIPAA compliant email.  Knowing the rules is one thing … but putting them into practice is what’s going to keep you and your healthcare organization out of trouble.  So, let’s explore some strategies to make sure that happens.

 5 strategies for achieving HIPAA compliant email

Like so many other things with HIPAA compliance, there’s not one singular answer that addresses the question of what constitutes HIPAA compliant email.  However, the options outlined below represent a collection of first-line strategies that go a long way toward addressing HIPAA email compliance.

  1. Be the expert on the topic of HIPAA compliant email on behalf of your patients.  This means making sure you have appropriate notices visible, both online and in the real world, warning patients about the potential security risks of transmitting protected health information (PHI) using non-secure email over the Internet.  For instance, many practices include a page for submitting questions to the office via email. Consider posting a statement that warns about security prominently on that page, such as:
    • “Please keep in mind that communications via email over the Internet are not secure. Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.
    • Please do not include personal identifying information such as your birth date or personal medical information in any emails you send to us. No one can diagnose your condition from email or other written communications, and communication via our website cannot replace the relationship you have with a physician or another healthcare practitioner.” 
  2. Document the patient’s consent to receive communication by email. Please don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails.  Consider using a form like this “Emergency Contact Sheet” to document the patient’s communication preferences in many areas.  If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.
  3. Use an EHR system with a patient portal function. If you’re using an EHR system with a patient portal function, encourage patients to use the portal’s capabilities for secure communications.  Most portals utilize secure channels for the information available via the portal, but make sure the vendor certifies that to you – and then test it yourself prior to encouraging patients to use it.
  4. Consider signing up for a secure, HIPAA compliant email application. If you must use email to communicate with patients,  a secure email application will protect your communications by using secure channels to send those emails.
  5. Manually encrypt transmitted files. If you don’t have a patient portal and don’t want to use a secure, HIPAA compliant email application, avoid including PHI in the email text and encrypt any files containing PHI that you are sending to patients.
  6. Keep in mind that SMS text messaging (regular texting) is not secure messaging. Be sure to get patient permission to send text messages regarding appointments, test results, etc.

Use HIPAA compliant email practices … sleep well at night

It is not far-fetched to think that one of these days, the OCR while investigating a complaint from a patient about a privacy violation, determines that a provider was disclosing PHI when communicating via email with a patient. And that every such email constituted an unauthorized disclosure – a breach. And that every such email to any patient was a breach. It might not take long to get to a breach involving more than 500 patients, with all the attendant notices to the media and reports to the Secretary of HHS that would entail.

Don’t be the practice or provider that finds itself in that unenviable position, simply because you didn’t pay enough attention to establishing HIPAA compliant email with your patients!

Email will be around for a while in healthcare and so many other areas of our lives. It’s a great tool, but like any tool, it must be respected for its power – both for communications we want and for the potential to disclose information we want to be kept private.

Using HIPAA compliant email in healthcare requires more effort and safeguards than in other areas, but it certainly is possible to mix the two.

 Short answers to complicated HIPAA Compliance Questions

  1. Can HIPAA information (PHI) be emailed? Yes, but take care to make sure the email address is correct and the patient has agreed to receive emails with PHI – even if you encrypt them
  2. What is required for HIPAA compliance email? Patient consent is highly advisable. Encouraging patients to send messages via the patient portal in your EHR system is a good way to attain secure communications. Utilizing a secure email application is also a way to ensure the PHI in an email remains private.
  3. Is encryption of email required for HIPAA compliance? No, but see #2 above for strategies that are highly advisable to protect PHI.
  4. What is a HIPAA compliant email application? HIPAA compliant email, or secure email, is usually a separate application from email applications like Gmail, Outlook, or Apple Mail. A secure email application encrypts the text of an email, plus any attachments. The recipient receives a notification via email and is directed to a website where they can log in and retrieve the text or information in the email.

HIPAA and email continued …

So how should healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

358 thoughts on “HIPAA and Email: there are rules

  1. So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be first initial, last name. “B. Howard”. Is there a rule here?

    Thanks – great article!


    1. Ryan, the rules are the same old rules, whether email communications are directly between providers and patients or between providers and a vendor like an answering service: don’t put PHI into an unsecured email. An email to a provider of any kind with a patient’s name and the fact that they have an appointment could be considered a breach, even if the likelihood of the email being intercepted by someone who shouldn’t have it and the patient being identified, is vanishingly small. Using an abbreviated name of any kind has it’s own problems. What if you have more than one patient with the same first initial and last name? And adding another identifier like a birth date only makes it worse.

      There are several possible solutions as we outlined in the blog, like getting a patient’s consent to allow emails about appointments or using a HIPAA compliant email system. The answering service could simply draft emails but not send them, and instead, fax over copies of the unsent emails in the morning. Of course they would have to delete the drafts religiously so nothing is sent inadvertently. They could also just keep a typed list that they fax over.

      If there was ever a complaint alleging a breach of privacy, both the answering service and your organization could be in trouble: the answering service for committing the breach, and your organization for not enforcing the provisions of the Business Associate Agreement you should have in place with them.

      There has not been a major breach case involving email as yet, but there is almost certain to be one once a patient complains to the Office of Civil Rights that privacy was breached because emails with PHI were made public. Don’t be the test case for that occurrence!

      1. I have another question regarding this. Can a patient name or employee name be used in the subject line of interoffice emails?

        1. Employee names are not covered by HIPAA, unless the employee is also a patient and the email contains PHI about him or her. If your interoffice email is secure, like from one gmail account to another within the organization, you could put the patient’s name in the subject line, along with PHI about the patient. If it goes through a public email service, where it is transmitted via servers outside the organization, you should avoid putting patient information including names in such emails. The exception is gmail, which is supposed to be encrypted from one gmail account to another.

          1. I would note the following:

            I would recommend Last Name only, with no other PII/PHI provided in the Subject line. While there are multiple same last names, the person receiving the email would need to read the email, regardless, since the Subject line is only a tip-off.

            When using email, regardless of provider, the subject line is viewable. I do not know what GOOGLE does/says about this, but it is normally the email body that is encrypted.

            As it relates to the use of encrypted email, Federal email encryption must meed NIST FIPS encryption standards. I do not believe GOOGLE meets this requirement for the Federal government.

    1. Naomi, we don’t recommend specific products. If you do a search for HIPAA Compliant Email, you will see products by several vendors. I recommend reviewing two or three to find one that meets your needs.

  2. I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
    It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?

    1. Marie, the rules on disclosure of PHI (personal health information) that apply to Covered Entities, like a therapist, are pretty clear: PHI cannot be disclosed to outside parties without the consent of the patient, or a person authorized to give consent for the patient. There are several exceptions, of course, like disclosures for healthcare operations such as billing and making referrals to other providers. From your description, it is not clear if your emails become part of the patient’s medical records, which would make them PHI. Any Covered Entity using email to communicate with patients should get written consent for using email, and, if possible, use an email application that is encrypted.

      Your situation also points up one of the disadvantages of using email to conduct discussions about private health information. It is very convenient, but you can never be sure it will not be compromised, just because of the nature of the internet, or because of the ease of sharing, whether authorized or not. In the end, it sounds like you need to discuss the issue with the therapist.

  3. Can a pediatric practice email or fax vaccine records to parent of patient without written consent?

    1. Laura, faxing is considered a secure method of sending records containing PHI (which would include vaccine records), but you should have the parent’s approval to fax them. You can record a note in the medical record that the parent requested the records be faxed, and that’s what you did, or you can ask the parents to complete a regular release of records form that includes faxing as the method of delivery.

      Sending these records by email (by which we mean regular, unsecured email) is more problematic. If you do not have a secure email application to use to send them, then you definitely should have consent in writing to use email to send the information. As part of that consent, you should warn the parents that email is not considered a secure method of transmission, and the records are subject to being found and accessed by someone else. The idea is to make it an informed consent.

  4. I just received an email from my ob/gyn about a health fair they are having. I can see the names of all recipients of the email. Is this a violation?

  5. I recently received email correspondence from a government body with a different person’s name and address. Is this still considered a violation of hippa?

    1. You don’t specify if the content of the email contained personal health information about another person. If it does, it could be a HIPAA violation. If it does not contain PHI, it would not be covered by HIPAA.

  6. Is it PHI under HIPAA if a patient’s name is included in an email regarding a) a check that was received by a practice or b) a bounced check paid to the practice by a patient?

    1. Barbara, this is something of a grey area. You don’t specify the exact email exchange, but if you sent an email to a patient regarding a bounced check, with no information about the services received, dates, etc., then it may not be considered a breach of privacy. To be safe (or at least safer), it is always best to obtain the patient’s consent before there is any correspondence via unsecured email. Or, make use of a HIPAA-compliant email application, of which there are several to choose from.

      If your patient complained to the Office of Civil Rights that his/her privacy was violated because of the use of email to correspond, even about payment, you are at the mercy of the OCR attorney assigned to investigate the complaint. They are going to assume a covered entity like a medical practice knew the rules and the guidance they have issued, even if patients didn’t object at the time.

  7. My employer plans to replace a patient portal product in the future. The patient portal allows the patient to send secure messages to their care provider as well as view lab results, renew prescriptions and schedule appointments. With the current patient portal, the patient’s email address is collected and stored as demographic data.

    When it comes time to bring the new patient portal on line, methods to inform current patient portal users are in discussion. One of the options suggested is to send a “blast email” to the patients who are actively using the current patient portal. Notifying by email those patients who gave their email address seems like a quick and efficient method to get the word out that the patient portal vendor is changing.

    The patient’s name would not be included in the email, but the patient’s email will be used. No other patients will see another patient’s email address and no other PHI except for the patient’s email address will be used.
    Under HIPAA guidelines, would this approach be acceptable?

    1. The answer depends on the terms and conditions that apply to patients who sign up to use the portal. Are there specific provisions that advise patients their email address is collected and may be used to contact them in the future? If not, when the Office of Civil Rights comes to investigate a complaint from someone, they may decide you did not employ reasonable safeguards when using email to communicate.

      The general advice from the FAQs page of the OCR regarding use of email (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html) advises providers to employ reasonable safeguards when using email for communications, and even sending a test email prior to sending an email with actual information to confirm you have the right email address. One of the issues that comes up with test emails or with the blast email notification regarding the portal, is that you have no idea who may be reading the email at the patient end, including family members who are sharing the email address and who didn’t know the patient was going to the provider! We always recommend documenting consent from the patient on the use of email during a visit, so there is no question about it’s use.

      What about posting the change on the current portal and even redirecting patients to the new portal location when they attempt to login after the change. That way patients get notified and redirected at exactly the time they are seeking to connect. And it leaves aside any questions about the use of email for this purpose.

  8. My employer is requiring me to Email my Healthy-You results to some third-party person. Joanna (somebody ) at some Email.com. I have no idea who this person is, and under duress of being charged $900 to pickup additional insurance costs, I am having to consider doing this. Not only do I have to submit this information my children covered under the plan also have to submit it. I have no idea what they are going to do with the information. This information will contain my name, and test results. I also have to access their website and fill out a questionaire about my ‘lifestyle’.
    Is this legal?

    1. Charles, your question raises several other questions. First, we at The Fox Group do not consider ourselves arbiters of legal or illegal practices. That said, we would advise anyone who is asking for information containing PHI (which your test results probably are) to make sure they have a way for people to send them this information via a secure email system, or input it into a website with a secure portal. It is not a violation of the HIPAA Privacy Rules for an individual to use an unencrypted or non-secure method to send their personal information electronically. Interception of emails and attachment by third parties may be extremely unlikely, but it is not impossible. You may want to talk to your employer about your discomfort with sending material over an unsecured email channel, but your employer (assuming he or she is not a healthcare provider) is not covered by HIPAA regulations.

      As far as entering information in a website, if the url is “https”, then it is a secure channel and there is no HIPAA privacy or security issue.

  9. I am finding that, even after attending a HIPAA webinar, the e-mail rules are not the clearest. My specific question is, would it be okay to send e-mails using Microsoft Outlook/Outlook Web App, within our organization, including the first initial, last name, and DOS? For example, “Can you please fax the report from J. Doe’s 01/01/0001 visit to the insurance?” If not, what amount of information would be acceptable to send from one individual to another, within our organization, only?


    1. The thing about sending emails within your organization is that, unless they are going out within a closed network, they may still be traveling over the internet and be subject to interception. An email from an organization with an address that allows the unintended recipient to determine it is from a medical provider (and in your case, a specific type of provider), the name of the patient and the date of service, discloses that the patient had a medical service at that organization on a specific date. This may be minimal exposure of PHI, but it may be enough for the investigative authorities to decide it is a breach. Options you could use would include using the account number instead of a name, or even using encryption/decryption software to encrypt a document with the information you are trying to transmit. There are free programs available that could be used, and you can standardize the password so you do not have to worry about that aspect. The former is very simple; the latter more complicated but lends itself to more information being trasmitted.

  10. We are testing our care portal. So to remind patients to access their portal for an upcoming appointment can we send an email from Microsoft office 365 (hipaa compliant) to the patient with a notice to check our care portal for “a secure announcement”. Also put the disclaimer and warning at the bottom that the should share only minimal ephi and are encouraged to use the portal to send secure messages back to our office rather than replying to our careportal email back. what do you think

    1. An email message to a patient encouraging them to visit your patient portal is probably innocuous enough to go out as a non-encrypted email. We strongly recommend you have documentation of consent to send any email to patients before sending even an email like the one you describe. You just never know who is reading the email at the other end, and sometimes even family members are visiting healthcare providers without telling each other. We would also recommend your disclaimer reminds patients that email is not a secure method of communicating with you, and that they should not include any personal health information in an email. Only communications sent through the portal are secure. There is some suggested language in the second part of the series on this topic at https://www.foxgrp.com/blog/hipaa-compliant-email/.

      I am not sure why you describe Microsoft Office 365 as “HIPAA Compliant”. You may have secure channel to your applications in the cloud, but that does not mean if you send an email from a cloud application that it is arriving at the destination via a secure channel.

  11. Is it a violation if you email a co-worker a patient refund request? It would include patient name and address and the dollar amount?

    1. Kathy, you don’t specify if the email you are using is an intra-network (contained in the business), or if it uses any external connectivity, servers, etc. It can be problematic to put too much information in an email that uses external connectivity, even when the information you are sending is limited. A name, address and a link to a specific practice, especially if it identifies the type of specialty, could be a violation if it were ever intercepted. You might consider using a patient’s account number to identify the patient, if that permits the person at the other end to identify the patient properly for the purpose of a refund.

      1. Thank you,it is external connectivity. If you email a patient name and or with an address but no clinic to identified the specialty, is that too considered a violation?
        On a different subject, what if a billing resource gave credential information via email? for example: a clients provider number, NPI, SSN and provider website access? Would that be a HIPAA violation?

  12. We are in the process of updating our policy regarding mailing medical records to authorized parties, i.e., insurance, auditors, etc. I’m having difficulty finding information on emailing an entire record (encrypted). Am not necessarily seeing anything prohibiting the use of encrypted email to send patient records. But I’m not really seeing anything addressing the complete record either. Thank you very much

    1. Elizabeth, there is no distinction between the rules for emailing PHI that represents a minimum amount of information vs. an entire patient medical record. If the text of the email has enough information to identify the patient and where he or she was treated. the email should be encrypted. If there is an attachment with PHI, we would recommend encrypting the attachment separately so in case the email wound up in an unprotected state, the attachment still could not be viewed without a separate password.

  13. In my pediatric practice we use a secure patient portal and we just started using constant contact to send newsletter type regular emails to our patients that contain no PHI. My Partner just received a “Happy Birthday” email from his car dealership on his Birthday. He would like to send “Happy Birthday” emails via Constant Contact to all our patients as their birthdays come up as a nice gesture and a subtle reminder to make an appointment for their yearly visit if they have not made one already. If these insecure emails go out with a first name and no other information (except an implied DOB from the date the email was sent) is it a HIPAA violation? The ePHI is first name, likely last name in the email and DOB. Also assume we have not asked for permission from the family to send this email. In summary, if the email gets into the wrong hands, is knowing someone’s DOB, name, and the fact that they are patients of our practice enough to make it a violation?

    1. Andy, the short answer is yes, you may be found to be violating a patient’s privacy by sending an email, even one with minimal information, if you are sending emails to patients without the consent of a parent or someone who can give consent. In some states, even an email address is considered personal identifying information that should not be used without consent. Would the emails go to the patient’s email account? Is the patient a minor? Given the sensitivity of electronic communications with children, it is even more important to have documented consent.

      The HIPAA Omnibus Final Rule of 2013 also contained some important clarifications and extensions on the use of PHI for marketing purposes. See our blog on the topic at https://www.foxgrp.com/blog/sale-of-phi/. While a healthcare provider sending its patients a reminder about a recommended service may be permitted without specific patient consent to use PHI for marketing, a third party Business Associate sending such a reminder (presumably being compensated for the service) definitely seems to fit into a category where patient consent to use PHI for marketing purposes is required. If reminder messages are part of the activities you plan on using a service like Constant Contact for, getting consent from parents to send such notices or other marketing materials should also obtained.

      Electronic communications can definitely improve patient satisfaction and communication of important issues, but must be done with utmost caution, especially when minor children are involved.

  14. I just requested a billing company send me a fill statement of services, not kist the total bill. I asked that it be emailed. She refused citing HIPAA. I said I would send am email authorizing this email and releasing them. I was told this is not allowed under HIPAA. This seems foolish. My bill, my services, my consent. What’s the problem? True or another “we can’t do anything because of HIPAA” excuse?


    1. A written authorization from you allowing the billing company to send you a full statement of services, that may contain PHI, via email, should be enough for the company to send you the information you have requested. You might try contacting the healthcare organization that the billing company is working for to see if they can help convince the billing company to send you the information, or have the billing company send them the statement and they can forward it to you.

  15. If a person accidentally emails a spreadsheet to a non-corporate mailing list containing information of a community clinic program (like a Yoga class) associated to a hospital department with names, addresses, phone numbers, age, a diagnosis (not codes – just words – spinal, cva right side), and payment status (no other financial info)? The names could be former patients or community members involved in the program. Their is no identifier stating they were or were not a patient of the hospital, just that they did or did not pay for participation in the clinic program. We consider them clients of the program, but are not patients in the hospital when they opt to participate in the program/class.

    1. It sounds like you have a breach on your hands. As soon as you have diagnosis information, whether verbal description or ICD9 codes, plus other identifiers, like names, etc., you have PHI, and per your email, it has been potentially disclosed to persons who do not need it and should not have it. You should contact your organization’s Compliance Officer and let them know what has happened. Also, you should figure out who all received the spreadsheet and prepare to ask them to return it or delete it ASAP. Good luck!

  16. Hi. I am trying to firm up our email policy for the interim period before we are able to invest in an encrypted email system that will be internal to a new portal system for our organization. We need to be able to email a prescription medication name and some type of identifier for the patient in order to clarify a prescription order for that patient. We only communicate by email with providers – not patients.

    In your response to Crystal D in #10 above, you suggest using an account number instead of a patient name to communicate with patients in an unencrypted email setup. I would like for our policy (again, in the interim) to say that our organization will not use patient names OR initials together with information about their medications, but will only use the 16 digit random number generated and assigned by our portal. Using this number that could only connect to PHI by hacking or legitimately accessing our online portal would seem to eliminate the ability to associate PHI in a hacked email system with actual patient initials, which could theoretically be guessed.

    Given that, I am still confused as to how it would be okay to email a medical record number through an unencrypted system, if “Medical Record Numbers” is one of the identifiers listed in HIPAA for identifying PHI. Is that correct? While this may still be PHI, in my mind for the interim period, this is preferable to initials, as there is less chance that the email AND the HIPAA-compliant portal system could be compromised for a true breach.

    Any thoughts would be appreciated. Thanks!

    1. As you noted, in my reply to Crystal D., I mentioned using account numbers. The context was Crystal asking about emails being sent to other persons in her organization, who presumably have access to the account number in the email, and can then respond to the request intelligently. The communication was not with patients, at least as she described it.

      You are describing a situation where you want to communicate with other providers about clarifying prescriptions. I assume the other provider would be a pharmacy. You also mention you have or are about to have a portal for the organization.

      Most portal systems operate using https, or secure channels, when information goes over the internet via a portal. That usually addresses the issue of security of the info. Use of any number, even one generated by the portal application, has to be accessible to both parties for messages to be understood and acted upon properly.

      The best I can recommend is, if communication via email (plain vanilla email, going out via your computer or server) is required in the interim prior to the availability of a secure portal, you could add an identifier to the original prescription form, that could be referenced by the pharmacy when you have to send these clarifications. The identifier could certainly be a random number generated by your portal, as long as the pharmacy can relate the number to the patient in question. Of course, faxing a clarification is also a secure way to communicate with a pharmacy.

      I hope this helps!

    1. Gloria, you do not specify who is sending and receiving this information. A form being emailed with the information you describe, but where it is possible to infer the location (a hospital?) and then locate the hospital and identify the person, is a situation waiting for exploitation. It would be better to use a number of some kind that is difficult to readily associate with a patient, rather a first name and room number. You have to think: how easy would it be for me to identify a person if I knew what hospital they are in, the first name and the room number? Not very hard, I think.

  17. Hello, My wife is participating in a clinical study. The lead investigator sent an email communication to the study participants and my wife’s and the other e-mail addresses are all visible to the other recipients and other investigators and physicians. At least my wife’s, and it appears that many of the other e-mail addresses contain first initial and last name information. Your thoughts would be appreciated. Thank you.

    Here is the text of the e-mail with my redactions:

    “Dear participants:

    I am writing to stress your obligation to be at XXXXXX Care Center on the scheduled time and date (something you had agreed to do when signing the Consent Form). Cancelling at the last minute is a waste of time for the clinicians that were there and a waste of taxpayers’ money who fund this research. It is unacceptable behavior where there is no serious medical reason, and I have the authority to remove from study anyone who does not respect their appointment. I hope I do not have to do that.

    To help you, we have simplified the scheduling communication for coming weeks. XXXXXX XXXX Medicine Center has agreed that from now on scheduling for the virtual reality system will be done by our staff at XXXXXX, where therapy takes place. You will receive a call from Mr. XXXXXX XXXXX who is the computer engineer working with the experimental equipment in your room at XXXXX. His cell number is XXXXXXX. His email is XXXXX@gmail.com. Please email or text him your name and cell number as well.”

    1. Ken, this type of communication is certainly borderline, for two reasons: Email addresses in some states are considered confidential information, so sending an email in such a way that all other email addresses are also disclosed, and coupled with name of the facility where the clinical trial services are offered, certainly is questionable from a privacy standpoint. Its borderline because apparently the clinical condition being studied is not mentioned directly.

      The organization administering the Clinical Trial could certainly ameliorate this concern by having all participants consent to receiving information, even protected health information, via email or text. And anyone sending mass emails can do it in such a way so as to avoid disclosing the email addresses of all the other participants.

      Let us hope the clinical study produces results for your wife and others that far exceed the borderline privacy concerns participants may have, and come about in spite of the level of customer service skill the lead investigator displayed in his message. Good luck.

  18. I am not sure if you can answer this, but my question is, now there are smartphones, I had a patient send in a picture of their Rx for medical equipment. Do you think this is acceptable ?

    At first, I thought absolutely not, but then I thought how Rx are faxed every day, is there a difference ?

    What are your thoughts or do you know where I can get an answer?
    Thank you.

    1. Texting is no more secure than regular (unecrypted) email. Faxing, up until recently, was considered secure because faxes were sent from point to point over telephone lines, not through the internet. With the advent of VOIP, including for use in faxing, even that may have to be reconsidered since it is a form of internet transmission. In any case, unless the sender is using an encryption application to send text messages, of which there are several now, you should avoid encouraging patients to text (or email) PHI to you.

  19. An email sent through the encrypted email network of the hospital from one student to another containing patient last name and room number?

  20. We use gmail for our inter-office communication. We have a password protected firewall associated with our office computer system. Can we supply patient first name, last name and DOS if we are trying to convey a message between each other. Some of our therapists do not have access to our system with the account numbers of our patients.

    1. Although Google claims that emails sent within it’s server network go via TSL security protocol, which means they are encrypted, that is only true if the emails stay within the Google domain. Therapists who send you emails with PHI that are not routed exclusively in the Google domain would not be protecting PHI as required under HIPAA. Google also offers an encryption solution that may help (Postini) and is compiling statistics on how many people are using encryption when sending emails. https://www.google.com/transparencyreport/saferemail/

  21. Please advise the HIPAA compliance requirements regarding emailing patient x-rays via a non-encrypted email service…to either another dentist or the patient in question.

    1. Since unencrypted email goes across the internet via a variety of servers, PHI sent this way may be subject to unauthorized disclosure, and such transmissions should be avoided. Having said that, if you ask a patient for permission to communicate with him or her via email, and they agree, then you can send PHI via unencrypted email. You can also ask for permission to share dental records, including x-rays, via email with other dentists or other medical care providers. Any such authorization should be requested in writing (or by means of a form you give the patient to fill out), and any restrictions specified by the patient on the use of email to send PHI must be observed.

  22. I am newly married. I work for a group of kidney specialists. I requested to have my email name updated with my new name and was told HIPPA requires it remain the same for tracking purposes. Can you tell me were I can find information on this.

    1. There is no requirement in HIPAA that requires tracking an email address, let alone not adjusting for updates to email addresses, name changes due to marriage, etc., etc. HIPAA only addresses maintaining the privacy of Private Health Information collected by covered entities, e.g., medical practices, on their patients. If you are also a patient of the practice, then HIPAA applies to your medical record and identity information created and maintained by the practice. HIPAA does not apply to general employment records of employees, except to the extent that information might involve PHI. For instance, your employer may have access to some of your PHI when it receives information about utilization of services by persons covered by its employee health plan. But again, there are no requirements about not changing an email address for those purposes.

  23. I have a medical office and my email was hacked by an ex-spouse. I have communication with patients on that email as well as with my attorney.
    The ex-spouse claims that they were given the password to use. That is absurd and I never gave it to them especially since this is a different email address that I started three months after our divorce.

    I have contacted state police who got information from Microsoft and the ex’s place of employment servers tracking her IP address to the email account and they have contacted the prosecutor but he is wavering from prosecuting the ex because she says that she was given permission to be on the account.

    Do I need to tell the prosecutor anything else or do I need to alert someone else about the violation if the prosecutor doesn’t pursue it?

    1. First of all, I am sorry for the situation you find yourself in.

      Depending on the content of the emails that were available for access, a prosecutor may want to know about the civil and criminal penalties for unauthorized disclosure of Protected Health Information. People have been prosecuted and even jailed for unauthorized disclosure, usually involving hospital staff who snooped in a celebrity’s medical record, and then sold information to a tabloid. I don’t know how you could tell if any of the PHI in any of these emails was disclosed outside of your wife seeing it, unless patients started calling you or you noticed dissemination of information that can be traced back to your emails.

      That said, and depending on how much and what type of PHI is in the emails, you should treat this as a breach – an unauthorized disclosure of PHI. We advise covered entities to obtain a patient’s consent to share information via email, but that only gives you some protection against the type of unauthorized disclosure that could result from someone intercepting and reading an email as it makes its way across various servers to get to its destination. In this case, there is a known incidence of a specific person with access to emails containing PHI. It does not matter how this access came about, of if anyone is prosecuted on not. Under any circumstances of potential breach, you have an obligation to evaluate the potential breach and notify patients and/or the authorities, or even the media, if there is a risk of harm to the patients affected.

      You can read more about the risk of harm concept at our blog at https://www.foxgrp.com/blog/hipaa-breach-definition-updated/. You can also get more detailed information at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/.

      Good luck with your situation. It is an unfortunate object lesson on many levels.

    2. Hello,
      I am an RN work for a large MCO that manages a waiver program funded through Medicaid. Yesterday, a patient of mine asked that I email a copy of home care tasks that the home attendant is supposed to complete. I sent a form that we use that only lists tasks (such as bathing, cleaning, etc.), the patients name and Medicaid number. I attempted to send through our work secured email but the firewall blocked it. The patient insisted I send another way, so I emailed the document to my private email and then emailed to the patient. Before doing this, however, on the document, I edited the patient info. I only left the first name, first letter of the last name, and the last 4 digits of the Medicaid number. I am now facing disciplinary action with my company. Would this be considered a major HIPPA violation since I edited the document to remove most of the self identifiers? Thank you.

      1. There is really little reason to email PHI to your private email address, even if you tried to limit the ability of anyone who intercepted it to identify the patient. The general problem with email is that, unless an encrypted email application is used, you can’t be sure it is not intercepted and read as it goes from server to server. And email sent to a personal email address may be read by others in the family who also have access to the personal email account. Interception may not happen in a specific instance, but you are not protecting the privacy of the patient’s information – which is the requirement of HIPAA.

        The situation is moderated somewhat by the fact that the patient asked to receive to receive the information via email, which implies the patient was consenting to receiving the information via email. But patients usually aren’t fully aware of the risks of using email for PHI or other confidential information, so we encourage healthcare organizations to document their consent for contact via a range if methods: email, phone calls, answering machines, etc. Did you make a notation in the patient’s record of the request to receive the information via email. You also did not apparently check on what you could do to get a properly-requested email past the firewall. Other possibilities: ask the home attendant’s organization to furnish a copy of the list, or send a copy via snail mail.

        Many times healthcare providers hide behind HIPAA, saying HIPAA does not allow for one type of disclosure or another. HIPAA regulations do not generally forbid actions. Instead, they focus on the rights of patients, the requirement to get patient authorization to disclose PHI for certain reasons, when disclosure is permitted without authorization, and to protect the privacy of PHI. We are expected to keep that principle in mind as we create, maintain and transmit PHI.

        Good luck with your disciplinary action!

  24. I work in a counseling office. I get clients who quite regularly request me to email them with dates and times available for an appointment with a particular counselor or want they to know when their appt. with “xxxxx” is. They also request I confirm their appt. by email rather than by phone confirmation. I always throw the HIPAA regs. at them stating we cannot discuss PHI via emails. Are we legally able to adopt a policy for our business such as this? A Policy that states: Our office does not handle appointment confirmations, scheduling or canceling via email due to HIPAA regulations and our obligation to protect your PHI.

    1. There is nothing in the HIPAA regulations that prevents you from adopting a policy that says you do not handle communications via email, but HIPAA regulations also don’t forbid you from utilizing that method of communication. The standard is to protect the privacy of your patients’ protected health information. It does not forbid any particular method of communication, and does not prescribe any particular method. Many practices have access to patient portals that offer a secure method of communication, therefore allowing exchange of PHI.

      We always recommend offering patients several options on how to contact them (phone, text, email, etc.). Email can be one of the methods, and you can specify the types of things you will put in email, and get the patient’s consent. That is one of the issues mentioned on the Office of Civil Rights FAQs about HIPAA. Since many patients may be used to getting information about appointments, etc. via email, they may question why your practice is saying use of email is a HIPAA violation, when it is not. But you should educate your patients, counseling them about not sharing information on their condition, treatments in progress, medications, etc., etc., that the internet is not a secure method of communicating, etc. And then you can offer the use of email if they give you an informed consent to receive such emails, for limited purposes, from you.

  25. (Hope this an appropriate question for the forum) As a BA, we are developing a new registration process for clients to use our services. When a new client registers they must create a login name and password. The common practice we see is, a new user uses their email address as a login name. Here’s the concern, small practices use free email services like Yahoo, Gmail, etc. and we are concerned about the security of an email address as a login name. Would it be more HIPAA compliant to require them to use something other than an email address as a login name? Thank you

    1. There are not really gradiations of HIPAA compliance – you either are or you are not. I do not think there is anything inherently less secure in using an email address as a login name, vs. some other name they would have to select, since most of them would probably use a variation of their given name. It would be more important to require a “strong” password, e.g., a mix of letters (upper and lower case), numbers, symbols, etc., at least 8 or 10 characters in total. That would make logging in a more difficult task for someone phishing the login site.

  26. My web host (Bluehost) does not sign BAAs for the HTTPS secure websites on their server and they do not guarantee HIPAA/HITECH compliance with a HTTPS. I have a private dedicated server on Bluehost that hosts my HTTPS website. I would like my employees and physicians to enter ePHI into an online form, excluding the patient’s name. The identifier will be a medical record number from the billing company. This information is stored on the website and accessed directly, none of the ePHI (surgeon, anesthesiologist, time, ICD, CPT, quality data, etc.) is ever emailed or leaves the website storage on the server.

    Is this method HIPAA compliant?

    1. Here are a couple of things to consider.
      1) You definitely need a BAA if the hosting site has access to the ePHI you are storing on the server. If the server is only accessible by you or your staff, including for maintenance purposes, then you are protecting the privacy of the PHI, as you are required to do. If the web hosting company can access the server for any reason, even if only for maintenance purposes, and will not sign a BAA, then you are allowing potential access to other people who have not agreed to maintain the privacy of the PHI. Any access would constitute an unauthorized disclosure, making you subject to the breach notification procedures. And even if there were no disclosure, covered entities are being fined under HIPAA because they are not protecting the privacy of PHI adequately – even when there is no unauthorized disclosure.
      2) If access by webhosting personnel is not an issue, then you should ask Bluehost for the level of encryption used in their secure channel (the https) that connects you to the server. It should be at least 128-bit encryption.
      3) You can also overcome any of these issues by encrypting the files before storing them on the server. There are very simple, free encryption programs available that you could use to encrypt these files. You can make a dedicated password for each file using the medical record number from the billing company, for instance. Then no matter what happens with access to the server, the PHI you have stored there would be considered protected.

      By the way, you do have a BAA with the billing company, correct?

  27. Hello –

    If we have a patient who has recently changed their phone number and we are unable to reach them via phone but we do have their email address, would it be permissible to email them to contact us to update their phone number even if we have not obtained their permission to email them? Would this be part of “healthcare operations,” or would it be considered a HIPAA violation?

    1. A provider sending an email to a patient is disclosing a very minimal amount of PHI, but this should be weighed against the urgency of your need to contact the patient. If the email is designed to prompt a call because you have important information to pass on to them, and you have already tried a sending a notice via US Mail, then an email asking the patient to contact you may be justified, even if it potentially discloses a minimal amount of PHI, and provided the patient did not request not to be contacted via email.

      But if the email is being sent for the purpose of a routine update of a phone number, it probably better not to use email for such a request in the absence of permission to send email to the patient.

  28. I have a medical condition that requires me to find a donor for transplant. I want my personnel group to send a mass e-mail describing my condition and will absolve them from HIPPA laws. Is there any canned forms in PA for absolving employers from distributing these types of e-mails where the employee is asking for help?

    1. Vince, there is no particular form to use to give your authorization for such a mass email. I recommend you draft the text of the email you would authorize the personnel group to send on your behalf, and include a statement authorizing them to distribute it, and to whom, as part of your email to the personnel group. Just keep in mind once such an email goes out, it may not stay with the audience you have in mind. You should make sure you are OK with potentially unlimited dissemination of the information about your condition before taking such a step.

      By the way, I hope you are also on the official lists for donated organs managed by organizations such as the United Network for Organ Sharing (UNOS). You may also want to encourage people in your email to consider becoming organ donors by visiting websites such as organdonor.gov.

      Good Luck!

  29. I’ve had problems with the billing dept. at my doctors office. First they yelled out my current bill information to an entire wishing area & had patients complain about how it was handled. Secondly they emailed me and copied multiple people in their office including my doctor which has now impacted our relationship. This was part of the email:

    It was brought to my attention that you had another visit with Dr. ******* on 2/10/2015 in our (specific) office and you could only afford to pay $5.00 toward your past due balance of $191.56. As I stated to you on 1/2/2015 you need to take care of your past due balance of $241.56, and provide us with your insurance card for any further treatment. You called in on 1/19/2015 and said you did not mean to miss your appointment on 11/24/2014, so as a courtesy we adjusted your account by $50.00 leaving your past due balance at $191.56.

    When you checked in to our (specific) office on 2/10/2015 you where aware of the fact that you needed to make full and final payment on your account prior to any more services being rendered. I have talked to you, and you have also been sent 3 past due collection letters from my office that state you are going to be placed with collections if you do not make payment. So instead of you taking care of the balance you made a fuss and made a payment of $(amount I paid) toward past due balance making the total amount due $(exact amount)

    Per Dr. ******* you will need to pay 50% of this past due balance which will be $ (exact amt) either prior to your appointment on 3/10/2015 or at the time of check in. Please keep in mind this is a requirement of you and we will not be able to render any further services until you take care of your past due balance. We have tried to work with you as much as possible, but you need to understand these are our office policies and these requirements are for ALL of our patients not just you.

    I realize this is incredibly unprofessional and I would assume it’s a violation but I’m curiouse what you think? Because it’s so negatively affected my relationship with his office and now my health – I’m contemplating filing a complaint.

    1. You may have grounds for making a complaint about a violation of your privacy rights, depending on any other details in the email, and if you gave the doctor’s office permission to send you email with PHI in it. Ask the office for the name of the Privacy Officer, and for a copy of their Notice of Privacy Practices. That should have information on how you can file a complaint with the Office of Civil Rights, who investigates potential privacy breaches.

      1. Thank you, I genuinely appreciate your help. I see my doctor again tomorrow and I’ll ask for the info you mentioned while I’m there. When this was on top of the incident where she scolded me in-front of an entire waiting area for having an outstanding balance, I just felt almost as if they didn’t take HIPPA seriously nor did they understand that my health issues are a massive financial strain and it’s a very sensitive issue that doesn’t need to be translated to the entire office. Knowing that patients complained to the receptionist & they still thought to follow up with this email has me seriously concerned. I’ve had a relationship with this doctor for 5 years and it’s necessary for my survival to continue going to him because of a rare surgery so I don’t want to be in fear of being a patient because of employees that don’t take these things seriously & treat them with utmost care. Thank you again, info came just in time & hopefully I can keep others from being treated this way.

  30. Hello,
    I was sent an rude email from my job regarding a patients insurance that was inactive. The insurance was Medicare. If you’re familiar with Medicare you would be aware that it states the patients social security number on it. To be ” precise and smart” she then sent me a copay of the patients Medicare card. It wasn’t even an attachment. It was a copy printed on the email and I believe his dob was in this email as well and his full name. Is that not against hippaa ? From my understanding internet use is not secure.

    1. You are correct that email sent over the internet without the use of a secure, encrypted email application, cannot be considered secure. While the identifiers you mention can be part of Protected Health Information, they may not be considered PHI without any other health information, like services rendered or the type of healthcare provider being visited. That said, many states also have laws against disclosing personal information that may facilitate identity theft. Sending such information via internet email applications that are not secure may expose the sender to penalties and lawsuits if the information was intercepted and disclosed. Information such as name, social security number and birth date certainly fits into that category.

      1. Thank you and not to mention many emails are received through my employees cellphone. Everyone has their cell phone connected with their email which means that patients information went to about 4 different cellphones.

  31. Can a probation department in Texas send medical information electronically to a Intermediate Sanctions Facility without violating Hipaa law?

    1. From what we see on the state of Texas website about Intermediate Sanctions Facilities, with tracks for substance abuse treatment, etc., the ISF’s would appear to be covered by HIPAA. It is an open question if a probation department qualifies as a covered entity, even if it is in possession of medical information that meets the definition of PHI.

      A probation department would seem to be an entity that is covered by the Texas Public Information act which may make such an email discoverable when a member of the public asks for them. There is also a Texas Privacy Law which may apply to any breach or unauthorized disclosure of “sensitive” information.

      While it may be permissible to email such information from the standpoint of HIPAA, it would be prudent to get an authorization from the person whose information it is to send it via email. This would go a long way to mitigating any claims of unauthorized disclosure, if the email were intercepted or otherwise made public unintentionally.

  32. I work for a government medical facility. Recently one of our supervisors sent out an email to educate staff on a certain procedure of calling the MD when a patient has been admitted to an off site facility. The email was not encrypted, contained the patients name, identifying government patient number, housing, procedure done and date of procedure. Would this be considered a HIPPA violation?

    1. It depends in part on the nature of the email system in use. If the email is sent within a closed network, for instance within a hospital using a hospital email server, then it can be argued that the PHI in the email was not exposed to potential disclosure. When email is sent over the internet with no encryption of PHI, that can be considered an instance of not protecting PHI in accordance with the Privacy Rule.

  33. our company uses outlook with office365, when sending shift reports ,is it Compliant to give first name and medication name and dose. The email is going out to an all staff group on the email.

    1. You don’t specify the type of service your company provides, or the email application you are using. If everyone receiving these emails is using a yahoo email address, then you have to consider the email as going through public servers. Google maintains that emails sent from one gmail account to another are going through encrypted channels, so are safer than other email applications that are not using actual encryption of the contents. So this works as long as everyone sending and receiving these emails is using a gmail account.

      You also need to consider the approach you describe to using minimal identification when distributing the information. What happens when there are two patients with the same first name? It is always better to use a unique identifier, especially with something as sensitive as medication. For instance, you could use a unique medical record or account number with first and last initials, instead of a name, especially if these messages only pertain to a limited number of people and typically confirm the medication order is still the same.

  34. Our office has a lot of problems with patients not showing up for their scheduled appointments, would it be a hipaa violation to send an email to a patient regarding their missed appointment? It would only have their first name and would state that they missed their appointment and that a “no show” fee would be posted to their account. It would not have the date of the appointment or any other personal info.
    Also, would it be a hipaa violation to send an email to a patient letting them know that they have a balance in our office and to contact us to discuss their balance? This email would contain the patients first name and the amount of the balance only.

    1. In some situations, any email from a medical practice implying someone is a patient could be considered a HIPAA violation, which is why we strongly encourage documenting the patient’s agreement (or lack thereof) to receiving emails from the practice. Such situations include homes where multiple people share an email account, and where one member of the family has not disclosed he or she is visiting a doctor.

      Without patient consent, sending the types of emails you describe may come back to haunt you when a patient decides to complain to the Office of Civil Rights about a violation of their privacy. You can always us the mail to send these notices…

  35. Question. The VA is now using a program called MyHealtheVet. It allows Veteran patients to view certain medical information, and allows the Veterans to communicate with their provider/nursing team. My concern is that a non-medical MyHealtheVet representative is able to actually view the email communication – they tout the reason to be able to do so to ensure that the patient’s medical team receiving the message has acted upon it. Is this a form of a HIPPA violation? I’m not comfortable knowing that someone other than who I send the message to can see it possibly.

    1. I am assuming that the non-medical MyHealthVet representative is a VA employee, required to maintain the confidentiality of patient information just like clinicians. It is very common in medical practices and hospitals that “non-medical” staff have access to patient information – people involved in billing and information systems support, for instance. Staff members whose duties require them to have access to patient information are not in violation of HIPAA when they access such information. It is a HIPAA violation when staff members not involved in the care of a patient, or whose duties do not otherwise require them to access a particular patient’s information, do access it. More and more people are being disciplined, fired and sometimes even prosecuted for accessing protected health information they were not required to access in the course of their duties.

      1. in this case, a patient used the MHV email option to contact their team regarding specific care. members of the team in question were on leave for a few days. MHV apparently has a ‘time limit’ on email response time. there was a message sent to the team pointedly asking them if they had address pt X’s concern about their X care/treatment. the pt was unaware that communication between them and their medical team could possibly be fully viewed by another party.

  36. I will need to communicate via email with our clinical staff who are offsite. We do not have an encrypted system so we are thinking about using patient initials when discussing health information. In review of the above comments, I’m thinking even just initials would be a violation and it might be better to come up with a numbered identifier when communicating via email between clinicians. As far as I’ve read, when communicating with clients about PHI via emails, it would be acceptable if they are fully aware the system is not encrypted and have signed a statement to that effect and that they are aware and still agree to emailed PHI. Please confirm my understanding. Thanks,

    1. We agree is is better to have a unique identifier, vs. using initials, when clinicians are discussing PHI via unecrypted email. Although use of initials may disguise the identity of the person under discussion, there is also room for mistakes due to duplicate initials.

      You are unlikely to be sanctioned for communicating with patients via email as long as they have signed an informed consent about the lack of security of using unencrypted email to discuss their PHI.

  37. Our small Physical Therapy practice has started sending out our New Patient Forms via email after asking them on the phone if they would like to have them sent via email to save them the time of having to fill them out after they arrive for their first visit…which can be a slow process for some people as their are 5 or 6 forms. We ask that they bring them in with them, and we don’t use the last name in the email. The forms are blank of course, but some of them are geared towards specific diagnoses ie a back index, and of course our logo is on them. Once in a while patients will fill them out and email them back, but we do not encourage this.
    I became nervous about this practice when today, an email with the forms attached, was sent to the correct AOL email address,but instead went to a different AOL user! I only found the mistake because the recipient emailed us back letting us know AOL was acting odd and that they did not have anything scheduled with us. Thanks in advance!

    1. Your experience demonstrates the old saying about the exception proving the rule. Email is a mostly reliable form of communication – until it isn’t. And it reinforces the need to get consent when using unencrypted email to communicate with patients about anything which identifies them as your patient, or even potential patient.

      You can improve your process by making a note that the patient agreed to receive the New Patient forms via regular email. When the patient comes in for the first visit, be sure that the note finds its way into the chart.

      Thanks for sharing your experience. So many of us think the chance of an unauthorized disclosure do to the use of email is so small that we don’t have to take even minimal precautions about consents, let alone use an encrypted email application. The chances of a misrouted or intercepted email may be small, but they aren’t zero!

  38. I am a member of a homeowners association and on occasion, I receive e-mail from our governing board, in bulk form. Everyone in the association receives the same information. My question is would the laws regarding e-mailing be violated if members responded by using the “Reply to All” button? In that instance, everyone who received the original e-mail would see the response.

    1. What you describe is a very common practice, and it is hard to see that replies from one person sent to all other people who got the original email is disclosing – unless the respondent wanted to send his/her response only to the person who initiated the email. In any case HIPAA regulations on privacy only apply to medical providers who are required to maintain the confidentiality of the patient medical information they compile.

  39. here is my question.

    I am a Remote Paramedic in Alaska working in the fishing industry, we use a Physician resource group out of Seattle WA for Medical control and Medical consult for any procedures above the standard paramedic level of training (sutures, etc….) or any Rx medications (antibiotic for infections etc…)however, I am in a rather heated debate with the medical provider over the transmission of HPI. the company I work for has a secure internal server and the medical physician group has a secure internal server, however, if I send an email outside of our internal users then the email is not secure. The physician group is requiring my co-workers and I to send them the full patient name, DOB and last 4 of the SS# or they refuse to talk to us, I say this is blatant violation of HIPPA, I am basically being told by the company I work for, to bad were not that worried about it and you need to do it to stay employed.

    Is this a violation or not?

    1. You don’t specify if any other information besides the name, DOB and last 4 digits of the SS# are transmitted via unencrypted email. If after emailing the basic information you describe, the rest of the information is shared verbally, then it falls into a gray area. We usually advise providers that even associating a patient with a practice using unencrypted email could be considered a violation – if the email is intercepted or otherwise read by a person who is not the intended recipient. Of course, what constitutes reasonable protection of a patient’s privacy may be a little different when the setting is urgent or emergent in a remote fishing village in Alaska, compared to an urban setting.

      You can always ask the patient if it is ok for you to send this initial information via email, and then document their consent, e.g., “Advised patient will send name, DOB and 4 digits of SS# to Physician resource group via regular email”. If more detailed PHI must be sent back and forth via unencrypted email, then you are much more likely to be found to not be protecting the patient’s privacy, remote location or not.

  40. My dental provider sent out a mass email to all patients in his practice “advertising” his new non-dental related business. Is this a HIPAA Violation if so where can I find the laws on this? He did violate the doctor/patient relationship, I just want to know if there is any legal recourse.

    1. A non-in-person communication from your dentist wherein he markets other non-dental services to you may be a HIPAA violation of the provisions governing marketing of services without patient consent. You can learn more about privacy rights and marketing at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html. You can also get more current information at this website: http://www.govhealthit.com/news/hipaa-final-rule-clarifies-marketing-fundraising.

      Your dentist should have a Notice of Privacy Practices that you can ask for, and that should tell you how to file a complaint with the Office of Civil Rights.

      The OCR may launch an investigation, but the usual outcome is that the provider stops processes that result in privacy violations. To have legal recourse yourself that could result in damages, you have to show that you were damaged by the communication (vs. just annoyed); for instance the unencrypted email you got identified you as a dental patient and that was somehow detrimental to your situation.

      Please note our comments should not be considered legal advice; for that, contact an attorney. Good luck.

  41. Are consumers allowed to substantiate FSA claim receipts via unsecured email with their FSA claims administrator, I’ve had different experiences with different providers.

    Some allow email of receipts, some tell me it can only be faxed because email is a HIPPA violation.

    1. HIPAA does not apply to consumers, at least as users or custodians of their own private health information. So you can choose to email it to anyone in any fashion you choose. Covered entities, including organizations that process or create PHI, must maintain the privacy of that information. Covered entities can use unecrypted email to send PHI, but they certainly are at risk of committing a privacy violation if the information is intercepted or inadvertently disclosed, and they had not obtained a person’s informed consent to use unecrypted email.

      Faxing is considered digitally safe, because a traditional fax does not start as an electronic document or go through servers on the internet – at least until the advent of VOIP technology for sending/receiving faxes and making phone calls. Covered entities using VOIP solution for phone and faxing should have Business Associate Agreements with their VOIP provider, and make sure the technology the VOIP provider is using meets the HIPAA Security Rule provisions.

  42. Can a statement or ledger of charges I incurred at Dr’s office be emailed to me ….when I request it?

    I wanted to see charges from one day, itemized out. (needed it for flex card inquiry) I ask that they email it to me. He stated due to HIPPA they cannot email but they can fax it or mail it.

    At my office the faxes come into an Admin Room where others can see the fax, print the fax, read the fax, everything is there for all to see. (It is not medical info per se but because of the name of the practice they could make assumptions about my medical issues that I do not want made about me….I go for something other than what their name would imply) If he emails it, it comes directly to my computer my email address that is password protected. No one but me will ever see it.

    It is not medical information, it is just charges?? They are HIPPA applicable? How do they feel email is less secure than fax? Fax can be one number off and will most likely go through. Emails are more unique and it is less likely that a miss of one letter or number would result in an email address that is actual and being used ….which means that person with the one letter difference gets my Dr bill…..big deal and very unlikely to happen! the fax number miss, will go through….

    Thanks in advance for your reply

    1. If an itemized list of services includes dates of service and CPT codes which describe the services provided, it is protected health information (PHI). Providers faxing that type of information to a public or office fax machine, when they have been advised of the setting or asked specifically not to send it via fax, are at risk for causing an unauthorized disclosure of PHI. Faxing from one fax machine to another is considered secure from the standpoint of using an electronic means to send information; that is, it is not subject to unauthorized interception while en route. Of course there are other possible errors that can creep into faxing as you point out, but those errors fall outside the parameters of the HIPAA regulations.

      PHI can be emailed, but unless it is sent via an encrypted email application, we always advise providers to obtain an informed consent to send PHI via email. An informed consent would include telling the recipient that unencrypted email is subject to interception by other parties, and cannot be considered secure. If you elect to receive your information via such an email, at least you were warned and can decide if you want to risk using that method. The risk of interception and misuse is low, but not entirely absent.

      Most employers also specify that emails sent and received on your office computer or network and the property of the employer, and you have no expectation of privacy of the information, if the employer decides to review it.

      There is always snail mail, if everything else is unsatisfactory and time is not of the essence….Good luck!

  43. Jim, We correspond with the billing office; part our organization, and send internal encounter numbers in the subject line. This encounter number is associated to the patients visit for the date of service we are referring to. Our Compliance Officer just informed me that we are in HIPPA violation. This is really the first time that I have heard of this and wondered where it came from. Hence, I found your site. Could you give me the HIPPA violation we are committing so that I can send out an e-mail to our billing office? We thought we had a fail-safe way of communicating our needs without disclosing PHI. Thank you. I enjoyed reading all the other questions and responses.

    1. You do not specify what the “internal encounter number” looks like, or what type of email system you are using to communicate with the business office. Some systems incorporate some of a patient’s name into the account number for the patient, making it potentially easier to figure out who the patient you are referring to is. Email systems that go outside the organization’s server can also be problematic if they include PHI. In general, you must protect the privacy of the PHI. You can accomplish that by 1) minimizing the PHI you put in an email; 2) using a secure email application; or 3) making it impossible to identify the patient whose PHI you are including in the email. If your internal encounter number is not subject to being “solved” to identify the patient, you are probably not violating HIPAA Privacy rules.

  44. I wasn’t able to read each entry in this string, so I apologize if it’s been previously covered. My question invloves medical record requests.

    Our practice frequently sends entire medical records to our patients’ attorneys. The requesting attorneys always send a release with their requests, except for the cases of workers’ comp requests, which they claim is not legally bound by HIPAA regulations.

    Can medical records be sent via email, if all of the prescribed precautions and privacy measures are adhered to?

    1. HIPAA Privacy Rules contain an exception to the requirement for a release of medical records information to be authorized by the patient (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/workerscomp.html), but even without an authorization, covered entities (like your practice) must maintain the confidentiality of those records when releasing them. Medical records can be sent by email, but in that circumstance it would be highly advisable to have the patient’s consent to releasing medical records using email – unless you utilize a secure email application that encrypts the message and attachments you are sending. It is one thing to send an email with some PHI, releasing an entire medical record via email is potentially a much bigger issue for the person who is the subject of the record.

  45. Jim,
    We are implementing a new system, but in order to communicate with some of our own employees from the system we would not have secure email as we do within our own system. My question is what information can I use to notify a dept that i need a record scanned, or a status changed, or a denial was issue? I know I cannot use the name, but can I use the hospital stay number (acct number) all by itself, or would that number be considered a hipaa violation even if it is not coupled with any medical info?
    Thank you.

    1. Use of just a hospital account number or medical record number, with no additional identifying information, would not be considered a release of PHI. Just make sure that the number you are using is sufficient to identify for the recipient the record you are asking to be scanned.

      1. I know this is old, but you seem to be flip-flopping over time whether MRN alone is to be considered PHI (because it must be removed from a limited data set, others do think it is PHI) – in 2014, you recommended against using MRN in plain email, now you say it is not PHI?

        1. Well, context is everything, naturally. In September 2015, I replied to a person asking about sending requests for records from one department to another, when they are not all on the same internal email system, that using an account number or medical record number to identify the patient, and requesting some action such as scanning the record, would not be a HIPAA violation. The distinction is that there was no other information about the patient in the email, no identifying information or other PHI. So the issue is, could some one intercepting the email figure out who the patient is from knowing the account number or MRN, and then associate any attached PHI to a specific person? Since there is no PHI attached or included in the message, and since there is no way, short of hacking into the hospital system to identify the person in the record, there seems to be little possibility of identifying the person or figuring out any PHI about him or her.

          A medical record number is one of the identifiers that must be removed to de-identify a record with PHI, but in that case, there is already PHI as part of the record.

          I hope this helps with any impression of flip-flopping!

  46. We outsource our billing. The billing company occasionally emails us patient names and dates of service when they need additional info to submit the charge. Hipaa breach?

    1. A patient name, dates of service and the name of the practice (identifiable from some other information in the email or even in the response that you send) could be considered PHI. We recommend you find another way to have the billing service identify the patient for whom they need additional information. Or better yet, require the use of a secure email application!

  47. Jim,

    What must be done if the patient does not agree to receive PHI in unencrypted email or unencrypted text message? What are the options?

    What is the safe harbor and is it really new?

    1. There are no “safe harbors” when it comes to protecting the privacy of patient information, especially PHI.
      Some Options when a patient does not agree to receive PHI in unencrypted email or text:
      1) Don’t send the patient unencrypted emails or texts containing PHI!
      2) Ask the patient for a confidential fax machine and fax the information.
      3) Send the information via US Mail.

      Patients who don’t want PHI sent in unencrypted email or text are telling you where the bar is for communicating with them. You don’t have any choice but to respect their preferences.

  48. Hi,my practice recently sent out a mass email to all our patients notifying them that we moved and changed our practice name. We did not use the BCC option in the email and all the recipients can see the other individuals names and emails. Other than thier names associated with thier emails nothing else but our new office name and address was in that mass email. Is this a hippa violation and if so what do we do to correct this?
    Do we send out another email telling everyone about the breach and apologize? Is that enough legal wise or is there something else we need to do?? Did we violate the HIPPA laws????

    1. There are two things to consider when using email:
      1) Many people do not take seriously the possibility of unencrypted emails sent to them being intercepted and read by someone else, but it certainly is possible. And there is no protection for unsecure text messages. Text messages stay in the cloud, possibly forever, and upwards of 40% of text messages are sent to the wrong number.
      2) In some situations, just disclosing the name of a physician or practice that a patient in is or has visited could be considered an unauthorized disclosure by a patient. This may be a very limited disclosure of PHI, but even that much information may be sensitive for some people.

      For these reasons, we recommend not sending any emails a patient unless they have authorized you (preferably in writing) to communicate with them in writing, and what can be sent via email, e.g., appointment reminders, requests to contact the office, etc.

      You may also have an issue with disclosure of email addresses, which are considered personal information in some states, and require a breach report at the state level.

      So what to do? Depending on how many email addresses were disclosed, you may have to publish a notice in the local paper as well as notify patients and file a breach report. You may want to start by sending a letter to your patients asking any of them who were concerned about receiving your mass notification email to contact you regarding their email preferences. You should also make sure your policy states you only send emails to people who have consented to receive emails from your practice, and that you will not send PHI via email unless it is encrypted.

      If you get little of no response, you may decide not to continue with a breach report. If you get several responses showing concern, you should seriously consider reporting this as a breach. You can find the breach regulations at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

  49. Our secretary accidentally sent a corporate email meant for the business manager in our building and was sent to all corporate. It had patient information for billing purposes. She was terminated for it for violating HIPPA. Our system is MS Outlook/365 and it is encrypted. I am the Dietary Manager and get sensitive messages sent all day long, but since it is corporate encrypted email, it is within protocol… So how could her mistake be a violation?

    1. It is not clear from your note just what PHI was included in the email. The issue is not so much that it may not have been encrypted but that PHI is to be shared on a “need to know” basis. Sending PHI to a lot of people who do not need that information in their duties is a violation of HIPAA. I hope the sensitive messages you are receiving are necessary for you to carry out your job duties!

      It is possible to encrypt messages using MS Outlook/365, but the sender also has to have the key to decrypt the message. Hopefully the email set up you are using takes that into account.

  50. This is the most helpful website I have found in 2 days of searching!! BUT I have a situation not mentioned previously. I gave a patient my private/home email address to send me a like to a public website that he wanted one of our doctors to view. No personal nor healthcare information would be exchanged. No discussion regarding his care, diagnoses, etc. I was harshly reprimanded that I was in gross violation of HIPPA laws by my employer. What do you think? (It is a long and sorted story as to why he did not/could not email this link to our office directly.) ANYONE’S opinion would be appreciated tremendously! Thank YOU!

    1. It is hard to see how receiving an email from a patient with a link is a HIPAA violation if it did not include any information about the patient, why he was sending the link, etc. It is always questionable to give out your personal email address to someone since you don’t know where it will go or how it will be used in the future. Next time, copy the link over the phone.

  51. Good morning,
    Our company is trying to determine if there is any violation when using an email (sent from the client to the clinician) as part of the clients EMR. We have been told we are unable to use them as an email and that they needed to be converted to a word document. Is there a HIPAA rule regarding medical records using personal emails in the EMR?
    Thank you for any help you can provide.

    1. It is not clear what role your company has in the process of recording an email originated by a client (patient?) into the “client’s” EMR. As noted in other responses to questions about email, HIPAA rules are not specific about any particular technology or practice. Instead, creators, users and maintainers of PHI must safeguard PHI from unauthorized disclosures.

      It is good practice to record all messages from patients in the medical record, electronic or otherwise. Capturing the contents of an email from a patient in an EMR would be in accordance with that good practice. But you do need to be certain that capturing the email as an electronic message, as opposed to scanning in a Word document or pdf, does not result in any vulnerability for the EMR system, such as allowing viruses, trojans, etc.

  52. We are the billing service for healthcare professionals. We have our own email server, am I allowed to email my coworker about a patient & name the patient in the subject matter?

    Thank You

    1. You don’t specify the information in the body of the email, but it certainly may contain information that would be considered PHI. So it may be better to use the patient account number in the subject line, unless the body of the email also contains the patient’s name. In any case, you want to make sure such emails do not go outside of your internal server, and the server is protected from unauthorized access.

  53. Is it a HIPAA violation to send a log of medical record numbers (to track productivity) via email (internal secure). The only information listed on the form are the medical record numbers. Would there be a difference if only account numbers were used?

    Thanks for your input

    1. Information like a list of medical record numbers (or account numbers) would not even rise to the level of being PHI, unless there was someway a person could associate the MR or account number with the patients and therefore identify them. Sending a list via secure internal email would not constitute an unauthorized disclosure.

      1. Jim,

        I work with ADT (admissions, discharge & transfer) datasets extracted from an EMR for productivity analysis.

        These datasets do not contain anything that could directly associate to an individual patient at present, however for a deeper analysis I want to track multiple visits by an individual.

        Based on what you’ve said above it sounds like I could use their account number or medical record number for this.

        For this deeper analysis I would want to include that identifier in the report. The recipient would be someone authorized to use the EMR system from which the data originates (in most cases it would be the attending physician).

        I am aware that #8 & #18 on the HIPAA Privacy Rule identifiers are “Medical record numbers” and “Account numbers” respectively. (source http://www.oshpd.ca.gov/Boards/CPHS/HIPAAIdentifiers.pdf)

        To protect the data I plan to use encrypt the value stored in the database (“at rest”), and all communication will be TLS encrypted (“in transit”) from the database server to the application server to the web browser.

        Is that all I really need to do to handle this in a compliant way?

        1. I think you have covered enough bases to defend yourself against a claim of a breach in case the data files were ever hacked into. The standard is to take reasonable precautions, which you seem to be doing. Of course the recipient needs to maintain those protections when he or she receives and stores the data locally.

  54. Is a person full name, date of birth and doctor’s name in paper faxed to a non-covered entity be considered as ePHI?

    1. While faxing is considered a secure method of transmission (since faxes are not subject to interception the way information sent over the internet potentially is), sending something via fax does make it ePHI since it has been changed into an electronic format.

      While the information you describe seems minimal, some people may feel just the fact that they are visiting a specific physician should not be disclosed without their authorization, visiting a mental health professional, for example.

      You do not specify why this information is being sent to a non-covered entity. Unless that entity is a business associate, you may need authorization from the patient to share the information. This especially true for information that is shared for marketing purposes. While you don’t need authorization to share information for healthcare operations, it is hard to see why the information you describe would be shared with a non-covered entity that is not a business associate.

  55. Can person full name, date of birth and proprietary ID number be considered as PHI? Ex: Joe Doe, 11/24/1955, 145697856697.

    1. The information you list does not seem to include any “health” information, so it would not be considered PHI. Many states do have laws and regulations concerning the privacy of indentifying information like birth date, Social Security number, etc. So depending on what you are doing with the information you describe, you should check your state laws/regulations on protecting such information.

  56. If I text a colleague using my personal phone to their personal phone a patients first name and last initial, and stating “they will need to have thier R and R completed” is that a HIPAA violation? No other identifying PHI was disclosed. I was going to be out sick and wanted to make sure my appt. was covered.

    1. This minimal amount of information may not be seen as a violation. Just keep in mind how easy it can become to include additional information in other circumstances that leaves you vulnerable to appearing not to protect the privacy of patient information.

  57. We externally emailed as an attachment a password protected Excel spreadsheet containing PHI. The email was sent to a consultant with whom we did not have a signed Business Associate Agreement in place.

    We are conducting a risk assessment to see if we need to report to OCR. Does the act of emailing PHI outside our organization count as an “unsecured” transmission if the PHI data itself is encrypted?

    1. Password protection is not exactly the same as encrypting a file, but you may have a larger issue with sharing PHI with a consultant with whom you do not have a business associate agreement. Barring some fact about the situation you have not mentioned (such as you didn’t send the consultant the password so they can’t open the file), sharing PHI in this fashion definitely could be considered an unauthorized disclosure, making it reportable and requiring notification to patients affected and reporting to the Secretary of HHS as a breach.

  58. If we asked the patient for an email address to send electronic records, is it hippa compliance for them to give us a friend or family member email to recieved their records?

    1. If you are sending them somewhere besides directly to the patient, it would be advisable to get such instructions in writing. Regular email is not a secure method of sending PHI in any case, and using another email address besides the patient’s adds another factor that leaves you vulnerable to an unauthorized disclosure, e.g., if the friend or family member forwards the records somewhere else.

  59. I sent a picture of a patient’s wound to my office. I do home health and my agency really hasn’t done anything with what I’ve reported. Is it a violation when my phone, email, and the agencies email are encrypted? Thank you!

    1. It is not clear what you mean by your agency hasn’t done anything with what you reported.

      In any case, if you are using a secure email application to send a file containing a picture, that should not be considered a HIPAA violation. You mention your phone is encrypted. Make sure you mean everything on your phone is encrypted (rendered undecipherable), not just password-protected. Of course, you can consider deleting a picture after you have sent it so it won’t be found on your phone in the future.

  60. Hi Jim,

    We are an outpatient surgery center that uses CTQ solutions (which is on a secure website and is HIPAA Compliant) as our patient survey. If the patient has not shared their email with the surgeon, we ask if they would like to share their email with us and have a survey emailed to them or we can provide them with a paper copy. On one particular patient, she had shared an email(which turned out to be her husbands email address) with her surgeon of which we put into our EHR. When checking in at our front desk, we have our patients verify that all their information including their email is correct. The survey was emailed to her. The survey was filled out, but a comment was left that stated that they felt this was a HIPAA violation. This patient has no other email and she and her husband share an email. Of course we find this out after he has opened this survey. The survey has no information other than the patient name on it. It simply asks for comments or suggestions pertaining to a surgery that happened on 12/00/00. A password is required to go on with this survey also. So, could you tell me are we in a HIPAA Violation. We don’t know when the email address is put in, if it is in fact the patients or a family member.

    1. You are a real-life example of a situation we often warn people about when it comes to using email for communications: you can’t always be sure who is actually reading the email on the other end! A further step we recommend is to have patients fill out a form where they identify the methods the provider can use to communicate with them, e.g., phone, with messages left or not; by email, with the email address specified and what can be sent; by text message, etc. This gives you some of the protection of an informed consent on the use of communication methods, which is ever-more important today. I am sure someday there will be a case where the patient has supplied an email address, but decides later they didn’t think you were going to send PHI via the email! And in any case, you should avoid sending PHI via email unless your are using a secure email application.

      I would say using an email that the patient shared to send a message about filling out a survey is not much of a HIPAA violation, if it is one. You can make it more general by saying it is pertaining to a service the patient had on the date. Hopefully most people will remember the service was surgery!

      Remember, the HIPAA Privacy regulation requires a covered entity (and business associates) to protect the privacy of patient health information. It is not specific to any particular technology or policy. So always ask yourself if your actions would be seen as protecting patient privacy before you adopt a process or technology.

  61. I am designing a healthcare app for IPad use. The application contains PHI in terms of treatment options & choices. If we do not enter any patient names, phone numbers, addresses, DOB, or emails but instead only use an ID # are we still held to HIPAA PHI requirements & standards? Thanks.

    1. If the only identifying piece of information is a unique ID # that is not otherwise linked to the PHI you are sending, you probably would be found to be adequately protecting the privacy of the PHI. Many people try avoiding the use of patient names or other identifying data, but think about using identifiers like patient initials or first name and last initial. This has the potential for confusion about who the patient really is, so a unique ID #, that must be accessed separately is one way to avoid confusion.

  62. When emailing medical records is it required to email with a secure email that requires the recipient to use a username and password to access the medical records, or does a secure encrypted email with a document attachment be compliant? I cannot seem to find an answer to my question as the references use secured or encrypted. What is secured? Would that be the same as encrypted?

    1. “Secured” usually applies to a method of transmission, for instance an internet site with “https” instead of “http”. Messages/emails sent via an https channel are encrypted during transmission, usually using 128-bit encryption technology. “Encryption” usually applies to using technology to make files undecipherable without the use of the encryption application and appropriate password (key). Sending medical records in unencrypted files via a secure email application as you described above, is usually considered sufficient for HIPAA compliance purposes.

      I hope this helps!

  63. Can the guardian of a child in a residential placement request/receive any email correspondence between the residential site and the outpatient clinic from which the child was referred?

    1. Typically, email correspondence is not part of a medical record, so it may not be a requirement to furnish it under state laws governing the content and releasing of medical record information. However, you can ask the outpatient clinic to copy you on emails they send to the residential site, but they do not necessarily have an obligation to agree to your request.

  64. As an employee at off site location of hospital, I was asked by manager to provide dr note by “scan” and send. I inquired if I was to scan and then email to mg, and if I was, then I was not comfortable as script has PHI and I would prefer to drop off directly to HR or fax direct to HR. Mgr stated email was more secure but would be over to pick up copy. (This is AFTER our office received an email from mgr stating that we were not to me using emails to send patients information that contained PHI because not secure).
    My question is this: if my manager scanned the document I provided her (that has my PHI) then sent that via email to HR, is that in violation of HIPAA and my rights as I personally requested NOT to send via email and that IS in writing? Manager is NOT a provider. Thank You for any feedback.

    1. If I understand this correctly, your situation is a little murky. The PHI you refer to was created by a physician who was not part of the hospital. That physician has an obligation to protect it, but since it is something about you in your possession, it is up to you to use it; HIPAA regulations do not apply to you as an individual in possession of your own information.

      Email is not secure (unless it is a secure email application), while fax as a method of transmission is secure (unless it involves using the internet to send the fax, vs. a landline and fax machine).

      Once you turned over your copy of the information to your manager, she had a duty to maintain it as confidential, not due to HIPAA, but due to internal hospital polices on protecting employee information (to the extent they exist), or possibly state laws on protecting the private information of employees. You might ask the HR department how it protects medical information about employees, and what managers are expected to do when they are in the chain of custody of such information.

  65. I am a home care nurse & my agency does not give its nurses laptops, cell phones or any other device for documenting patient care, confirming appointments, etc. All of the nurses use their personal laptops and email the patient’s records of care to the office in an attachment. I know that my laptop is not encrypted. We use our own personal mail addresses through our own service providers—-mine is AOL. I questioned the owner about this when I first started, and he brushed it off (with good reason, I’m sure). I have dozens of patients’ medical records stored in my laptop, with identifying information as well as medical history, treatments, etc. Sometimes we use an agency configured computerized document (created with Excel) to chart and sometimes we have to write the treatment on paper with pen, scan the documents and then email them to the office. We do not use Outlook or any other program—just our personal emails. I have scoured the internet looking for the answers & can’t find any. I’m sure the reason is because compliant home care agencies give their nurses laptops or tablets with medical record programs that get transmitted through an encrypted system. My agency won’t spend the money on laptops or tablets—they just want us to use our own electronic devices. Is this legal? I don’t want all this PHI on my personal laptop, for a variety of reasons, first & foremost being the HIPAA violations. Is a home care agency required to distribute “official” laptops/tablets/cell phones to nurses for contact with patients, patient record keeping, etc., that is transmitted via an internal, secure network? I do not exchange emails with patients, but I confirm appointments via texts and telephone. All of the medical information transmission is between my personal laptop and the agency, over whatever wi fi service I can access—and many times that is a public connection. I’d like to know where I can find this information to present to the boss/owner of the agency. Thanks.

    1. A home care agency is not required to furnish laptops/cell phones to its field personnel, although many do because it increases the efficiency of the operation. Does your agency employee handbook or your employment terms and conditions require you to utilize specific personal equipment like tablets or cell phones? If so, state labor laws and regulations may bear on whether your employer can require you to use your own equipment for business purposes without compensating you for such use, or furnishing the required equipment.

      You are right to be concerned about creating, maintaining and storing PHI on your computer without encrypting it. You can download free encryption software and encrypt the files yourself, and password protect the computer so even if it were lost or otherwise accessed by someone who shouldn’t receive the medical information on it, it would not become an unauthorized disclosure.

      It is also problematic to send files containing PHI via non-encrypted email. Although there are not specific prohibitions against sending PHI this way, if the email were hacked or otherwise intercepted, the organization certainly could be found to not be protecting the privacy of PHI because it did not use more secure methods of transmission. You can find some information on using email at http://www.hhs.gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allow-for-sending-electronic-phi-in-an-email/index.html.

      1. The agency requires nurses to have laptops and cell phones. They want the patient records to be transmitted electronically. Even if the records are not electronic, and are written with pen and paper, they want the paper to be scanned and emailed to the office.

        My point is that I shouldn’t have to do anything “special” to my own personal laptop just because my agency is making me use my own laptop. I purchased it myself, and until the agency either pays for it or gives me one of theirs, I am not downloading encryption software or password-protecting anything. I didn’t do it before, and I am not doing it now.

        Interestingly enough, a virus crashed the hard drive on my laptop 2 days ago, and I cannot access any of the patient information on it. I am going to have to pay someone to recover and transfer the data on it because i do not know how to do that. That is definitely not HIPAA compliant because a completely non-related 3rd party is going to see the protected health records while they are transferring the data. Even if I didn’t want to transfer the patient data, it is going to appear because it is all stored in Microsoft Word with all of the other documents I have and want recover/transfer.

        Additionally, a few months ago I received an email from one of the secretaries at the agency, and I was suspicious of it. Shortly thereafter, I received an email instructing me not to open that email because her computer was hacked. How can their system be secure when stuff like that is happening?

  66. My dad is on life support in another state, hes going on 2 months now. Is the hospital allowed to email me updates on his condition?

    1. The hospital in this situation is required to protect the privacy of the protected health information (PHI) it is creating and maintaining about its patients. Typically, before disclosing information about a patient, the institution gets permission from the patient to release information when asked, or otherwise makes a good-faith effort to identify a person or persond who may be authorized to receive information. The use of email by covered entities is not prohibited, but unless the hospital is using an encrypted email application, it could be found to be enabling non-approved disclosure of PHI by transmitting it via a non-secure method. Of course, email is also a little more cumbersome since there may be a lot of information to convey about a person on life support. Ask the hospital if it has a policy against using email to provide these updates. They may ask you to sign a statement to the effect that you understand the risks of using non-secure email, but want it used anyway. They may also say they just won’t provide the information via email, and there is no requirement that they do so.

  67. If you are a HIPAA compliant company can you share limited medical information with departments such as Human Recourses/Benefits to the department the associate works in via email? What if the company is NOT HIPAA compliant, can you share limited medical information departments such as Human Recourses/Benefits to the department the associate works in via email? Thanks for your help.

    1. I am not sure what you mean by a HIPAA compliant company. Organizations are described as covered entities (healthcare providers, insurance companies, etc.) or business associates of covered entities. Covered entities are usually organizations that create or maintain protected health information (PHI), while business associates usually receive PHI from covered entities as part of the services they provide to covered entities. Covered entities and business associates are required to protect the privacy of PHI they create, maintain or otherwise receive. A company that is not a covered entity is not required to comply with HIPAA Privacy regulations when it handles or communicates medical information about employees. Of course it may have a duty to safeguard the confidentiality if such information, possibly described in its own policies, but HIPAA would not apply.

  68. I am working on a case study in the book related to the e-mail breach of privacy.

    The child is diabetic. He maintains his personal digital assistant, hand-held device, that interfaces with his glucometer and provides information based on inputted data from him and his parents. This information is transmitted to his MD/hospital, school nurse, case manager, and to the parents’ home computer.

    Case manager sent an e-mail to his parents via their home computer asking them to bring child in for an assessment. She was in a hurry and decided to add more information to the message than normal reviewing with them the importance of maintaining control over the diabetes and expressing concern since he has not checked in with you lately. she told them that she thinks he might be over-doing it since he is trying to play football. She asked how they are doing and if they are still attending their counseling sessions.
    The emailed was sent by 4 year old sister to all of the diabetic lists that both his parents belong. The parents are outraged.

    Few questions:
    1. How would you feel in this situation if you were the person who sent the e-mail?
    2. What is the problem?
    3. What ethical principles would guide you in this case?

    1. If I were the person who sent the email to the parents with these concerns, I would be concerned about emailing PHI using a non-secure email application where the email includes PHI, e.g., the diagnosis of diabetes, etc.

      There are two potential problems:
      1) The case manager may not have had consent from the parents to communicate about the child and his PHI via non-secure email. Although many people are very casual about what they share, and give others permission to share, using email. Providers should always be the party reminding patients to think about how secure a personal email address is, and if there is personal information about their medical condition they would not like to be shared on Facebook, etc.
      2) The email address used is accessible by others in the household, who may or may not be privy to the medical information to begin with, or how to handle it when it is received. We usually cite various examples of how a family email address may compromise the privacy of one person’s information, but the 4 year old sharing it with other parties is a new one, and very illustrative of how you cannot always depend on maintaining privacy, even in family settings.

      The ethical thing to do is to apologize for the case manager’s role in disclosing information that the parents considered private. If the case manager did not follow the parent’s instructions on how to communicate with them, then it may be necessary to notify the parents of a breach of their son’s PHI by sending it via non-secure email. The case manager did not distribute the information to other parties, but she surely facilitated it. Of course, the parents should be a little outraged at themselves for not realizing another family member could access and share email messages about her brother’s condition. Lessons to learn all around!

  69. I process billing for a doctor’s office. On occasion, bills are returned due to a wrong address on file. I’ve considered sending an invoice to the patient via email as an attachment. Invoices include patient name, address, and services rendered. If I were to send these via email, would we be in violation of HIPAA?

    1. We strongly recommend communications via email with the information you are listing (which is PHI, by the way) not be sent unless 1) the patient has agreed to receive such information from the practice via email, or 2) you are using a secure email application to send the information. Even then, you cannot be certain the person opening the email at the other end is the person you are trying to communicate with. We recently received a comment from a provider that sent information about a minor with diabetes to the parents because they had not been responding to phone calls. The email was opened by another sibling, who forwarded it to all the email addresses of a couple of juvenile support groups the parents belonged to. Needless to say, they were very upset about this unauthorized disclosure!

      Whenever there is a potential unauthorized disclosure and a complaint is made to the Office of Civil Rights of HHS, an investigation can be started. And during an investigation, all aspects of the way covered entities and business associates protect PHI can be examined. CEs and BAs are being fined for not protecting PHI – even if there was no actual unauthorized disclosure. So even if there is no evidence that an unencrypted email was ever intercepted and read by anyone else, the OCR may take the position that the CE/BA should have known an email could have been intercepted and should not have used such a communication method without the consent of the patient and/or the use of protections such as an encrypted email application.

  70. Hello I work for a healthcare consulting company and an email containing PHI was sent to an MSO we have an working with without encryption. The report attached contained patient health plan member Ids and patien address and DOB. How do we handle and repair this?

    1. Although elements like member IDs, addresses and DOB are identifiers, those items themselves (if they are the only things on the report you mention) are not PHI in and of themselves. PHI would include information in a designated record set such as diagnosis and treatment information. If this type of information was not in the report, then there may not have been an unauthorized disclosure of PHI.

      That said, many states have regulations about disclosure of information that can be used by identity thieves. You should review the regulations of the state the MSO is operating in to see if the MSO has an obligation to notify the individuals or state officials on the potential disclosure of private personal information. And then you should advise the MSO to use encryption method(s) to protect information that is going to be sent via email, like encrypting files before emailing, or using an encrypted email application. There are free software applications that enable users to encrypt files before emailing or even loading into FTP sites.

  71. If patients have given our practice their email on their new patient information, can we send out our office newsletter to them with the option to remove their email if they don’t want to receive future editions?

    I am a surgeon and I have had patients send me texts on the weekend as they have my cellphone for emergencies. I call them back and try not to communicate via text. On occasion, they have requested to send a picture of their wounds…is this a violation if they request? The only PHI would be their phone number that it comes from…

    1. We usually recommend practices document the methods patients agree to receive information, including phone calls, messages on answering machines, emails, text, etc. Texting is a particularly vexing subject since until recently, there weren’t any easy to use encryption methods for text messages. Texting is so convenient, for both parties, that it will probably continue despite the risks. These include the fact that text messages may stay on servers somewhere for an indefinite time and later viewed by someone who was not an intended recipient.

      It is not a violation on your part if someone elects to send something like a picture of a wound. They should be made aware of the risks of sending such a text, which you can do when you document their communication preferences. And you should not keep such texts in your phone any longer than necessary.

  72. In private practice and we have a patient portal. Clients that choose to opt in to electronic communications receive appointment reminders and also invoice reminders and payment statements. In these invoice and statement reminders it has there name invoice# and amount and/or payment amount and advises them for further they should log into the secure patient portal. We have a BAA with the portal company and the patient has agreed to these communications. Does this sound like proficient security and does this sound like a good practice. Or should we just stick to sending encrypted email invoices that advise them they can pay in the secure patient portal.

    Thanks for your time

    1. It sounds like you are doing everything we would recommend to a practice that is utilizing a portal. I assume the portal is accessed via an encrypted channel (https), and that you are documenting the patient’s consent to utilize the portal. Such consent is usually built into the message a patient gets when invited to begin utilizing a portal. Congratulations on improving the ease and security of communications with between your patients and your practice!

  73. Hello,

    I work in a large hospital. At the end of our shift we are required to send a census email to the next shift with a list of inpatients that are hooked up and being recorded/monitored. This email includes the patients first and last name, the room number, the recording machine number, the referring doctor name, and the start date/time of the brainwave recording. The only facility identifying information on the email would be found in the employee recipients email address which is the employee name @ blank health . com. On the subject line of the email we indicate the date/time of the census and we are supposed to include the word “SECURE”. Occasionally someone forgets to put the word secure. It does not change the recipients view. This is sent using Microsoft outlook which is what the entire hospital uses. Last week I accidentally sent my email to a fax machine number “address” rather than a regular email address. I did not get a failure notice. I contacted our IT department after The fax number address was brought to my attention, and the IT department said the fax number was nonexistent. Does this require me to report this to the HIPPA compliance department? My manager is insisting that I fill out a HIPPA violation report and turn it in since it is of great importance that the compliance committee investigate where this email ended up. (It was his fax machine number that was unintentionally selected as a recipient.) No one can seem to identify the location of this fax machine. I believe it was an old fax machine number that had not been deleted from the global address phonebook. Would this be considered a HIPPA violation? Thank you.

    1. This could be a HIPAA violation, so the Compliance Committee should go through the process of evaluating the possibility of unauthorized disclosure as outlined in the 2013 Omnibus Final Rule. If this really is a nonexistent fax number, then the Committee may conclude there is a low risk that an unauthorized disclosure occurred, and there is no breach.

  74. the company i work for has on line appointment scheduling on our website for client facilities (dr offices). we had a patient send an email to complain that the dr office cancelled the appointment. In the patient’s email, the patient disclosed PHI. this email was accidentally forwarded to the dr office with the PHI info (that the patient supplied). is this a violation given the patient disclosed the phi? we have a business associate agreement with the dr office.

    1. Cindy, it is not clear if the patient understood that when he or she sent the email complaining about the cancellation that it was going to your company, or to the doctor’s office. If patients think they are communicating directly with the doctor’s office, then you may have an issue with forwarding an email with PHI via an unencrypted email application. As a business associate, you have an obligation to tell the covered entity (the doctor’s office) that there may have been a breach. Your organization and the doctor’s office should evaluate the breach using the criteria in the 2013 HIPAA Omnibus Final Rule. Then you should decide on whether your organization or the doctor’s office will notify the patient.

  75. I work for a optometrists office. We are getting a lot of request for glasses prescriptions and receipts to be faxed or emailed. But we generally only fax prescriptions to another office where they might be getting glasses there. But with the increase in internet sales we are getting more and more request from patients wanting their prescriptions. So we are getting a lot of patients that want us to fax or email their presciptions to them. What is the correct way of doing this under hippa? Thank You

    1. There are a couple of things you can do. First, ask patients if they have a preference on how to receive information after they leave the office, e.g., emailing, faxing, etc. Document their response, with a form if possible, otherwise with a dated note in the record of what they authorized for such communications. If you are receiving a request over the phone, verify if the fax is private to them or if they ask for email delivery, remind them that email is not secure, and there is a small risk their information may be discovered by other people. Then document their agreement to use the method of communications. This will give you some level of protection if someone ever comes back to complain that their private information was compromised because of the method you used to send a prescription or receipt. You will have warned them of the lack of security with email or the use of a non-private fax machine.

  76. We are a hospice agency and have contracts with Skilled Nursing Facilities. (some are 30 miles away). Is is ok if we email the patient’s Home health aide / nursing schedule and Careplans to 2 identified individuals at the SNF so that that this information is more readily available and in their charts in a more appropriate timely manner. We are looking the Director of Nursing and the MDS coordinator as the 2 recipients of the email. Thank you

    1. As we have pointed out many times, using unecrypted email to send PHI is taking a chance that the information will be disclosed to unintended recipients, just due to the nature of email. You can overcome this in at least two ways:
      1) Implement a secure email application that encrypts the contents of emails that you want to send with PHI in the email or attached to the email.
      2) Use an application to encrypt the attachments. There are free versions of these applications (like EncryptOnClick from 2brightsparks), but they require both parties to have a copy of the application and both to know what the password (the encryption key) is for the encrypted files. You can overcome this by adopting a standard password for each SNF that you send PHI to, and making sure the recipients of the emails in the SNFs know the password. If you use this approach, do not send the password in the same email that contains the attachment!

  77. Is the patient’s signed consent to release information form itself PHI? I would think it is, being part of the medical file.

    1. Not every form in a medical record may be considered or contain PHI. We typically take a very conservative approach and advise that even the information that a person is being identified as a patient of a covered entity (physician, hospital, etc.) may be PHI. A Release of information form that identifies the medical organization releasing information and the medical organization receiving information may be PHI to some patients, e.g., an emancipated minor asking for release of medical records information from a Planned Parenthood clinic to an obstetrician’s office may be extremely sensitive to disclosure of even limited information about such records.

  78. Regarding email and HIPPA.

    If you use pop3 or imap with encryption does that qualify. Or do you need additional measures?

  79. I am a private citizen who just received Fax on my home computer of a child’s immunization records. The only identifying. Information the Fax had on it is the child’s name and birthdate.

    Our phone number has no simalarity to the intended Fax recipient’s phone number! So this is in no way a typographical error.

    The Fax was generated by a major Children’s Hospital system.

    My concern is that perhaps their system have been hacked or there is gross negligence in their Medical Records department.

    I’m seriously concerned about the HIPPA violation and the possible that to the security of other patients’ records.

    What course of action would you advise if this Hospital System were your client? Who would I contact in that organization to make them aware of the breach?

    1. You should contact the Privacy Officer of the Children’s Hospital to report the receipt of a fax with the records you mention. Unfortunately, misdirected faxes are among the most frequent causes of unauthorized disclosures of protected health information among hospitals and physician offices.

    1. If you are using the account number or claim number as the identifier in the email, and the email includes PHI, this is probably not a HIPAA violation since these are not identifiers that would be publicly available.

  80. I work for a school district reconciling the insurance bills. Is it a violation to send the member’s name, SSN and monthly premium amount through internal email? What if the information is in a spreadsheet and I send it to myself at home to work on after hours?

    1. Things like name, SSN and premium amount may not represent protected health information, but they are information that can be used for identity theft, and as such, be subject to state laws about unauthorized disclosure or the federal Red Flag rule. It is advisable to only send such information via an encrypted email application. If you encrypt a spreadsheet file with encryption software, you can email it, but of course you have to know how to decrypt it at its destination. It is also not a good idea to leave unencrypted files with PHI or identfying information on home computers since they get stolen, too!

  81. I am a therapist and I am currently getting a divorce. My husband hacked into my email account post-separetion, and got ahold of one of my clients emails correspondences with me. He has submitted these emails into “evidence” during our divorce trial because he is trying to argue I should have charged this client more money because I saw this client pro-bono for a short period of time. (aka I could have brought more money into the marriage). Anyways, I am trying to explain to my lawyer that this is a HUGE HIPPA violation because my husband is sharing privileged communication between client and therapist. Also, the law says any information obtained illegally is inadmissible. My lawyer is saying even though I did not allow my husband access to my emails, and he hacked into my email account without my knowledge that it’s still “implied consent” because my husband and I shared a residence/access to the computer. HOW CAN THIS BE???? Can anyone who has legal knowledge point me in the direction of legal information/laws that clearly state how ILLEGAL it is for confidential client information to be shared without the client’s permission? Please help. This breech in confidentiality could ruin my entire career.

    1. Here is a to a pretty good explanation of the penalties for violating HIPAA. As it notes, there are both civil and criminal penalties. We can speculate on how this might be handled, but this is not legal advice.

      Your issue is whether you might be found responsible for the unauthorized access and disclosure by your husband. HIPAA applies to covered entities (that’s you), but not people like your husband. You need to be certain you had protections in place to prevent someone with access to your computer from getting into your email account without actually hacking it, e.g., having a separate password for the account that someone like a close relative could not easily guess. Of course, you should be using an encrypted email application for email correspondence with patients that may cover protected health information PHI.

      This is not going to be an easy situation to resolve. Your lawyer may also ask that the emails with PHI be returned, even if you have to furnish redacted versions that do not identify the patient. You may also be facing notifying your patients of this breach. You may be best served by getting legal advice from an attorney familiar with HIPAA and unauthorized disclosures.

  82. I’m currently at a general hospital rotation and the question came up whether it’s a HIPAA violation when a company (say a hospital or pharmacy chain) sends out an email “hotline” about a drug seeker. The original question asked was “if Hotlines that pharmacies send out are HIPAA compliant, since they are not technically our patient. Can we be receiving info about patients that are having issues at other pharmacies?”

    1. It is up to the organization disclosing information about patients to make sure they are reporting patients who appear to be “drug Seekers”. There are hotlines both nationally and in specific states for reporting by physicians, pharmacists, etc. Here is a link to a document from Medicare on the topic.

  83. If a client sends an email of their mental health issues to one therapist but sends cc to other third parties and one of the third parties answers with the suggestion of possibly closing care due to the clients exposing their medical care issues. Is that a HIPPA violation on the person that is third party for closing the door on their care even though the client shared all the information with all the parties.

    1. First of all, HIPPA does not address any issues related to continuing or discontinuing care after a disclosure of PHI of any sort. Second, it would seem to be unlikely that the OCR would sustain a complaint of a breach if parties to whom an email by the patient containing the patient’s medical information, started commenting on it. Information disclosed by a patient does not meet the definition of PHI.

  84. John,

    We recently had an employed physician leave our practice. He formed another corporation and is opening his own practice. Subsequently he sent out a pan email to some of his patients (1000-1200) and some of our patients (150) unblinded. The email identified them as active patients in the original practice with his notice of new business and a pdf file on how to request records from our practice. We became aware of this through several of our patients’ notification and frustration over his email with their personal information being present and being identified as patients to a large group of other people. Is this a breach on his part?

    Further, it appears he obtained the patient list and emails from a prior vendor we had used to develop a website. The relationship was between us and the Website/marketing company. Is this a breech to have obtained the contact information through a vendor who he did not have a relationship?



    1. An initial qualifier: we are not attorneys and cannot give legal advice. My comments below represent our understanding of the HIPAA regulations; you may need to consult an attorney if/when complaints are made to the Office of Civil Rights of HHS (see your Notice of Privacy Practices).

      We advise people to approach email conservatively, arguing that even the disclosure of a person being a patient at a certain type of physician specialty practice could be considered PHI. Your account of complaints from some patients validates that concern.

      From your description, it sounds like both the website/marketing company and your former employed physician may have made unauthorized disclosures of PHI, or at least confidential information like email addresses (which are considered confidential in some states). Hopefully you have a business associate agreement (BAA) with your website/marketing company that calls upon them to take action (at your direction) to report a breach. Even in the absence of a written BAA, the website/marketing company is your business associate, and they are required to comply with the breach notification provisions of HIPAA, at your direction. You may also have a contractual dispute with the website/marketing company if they disclosed information to your previously employed physician without your permission, or without the employed physician being a person in your organization with whom they were authorized to communicate.

      The magnitude of the disclosure here is also important since it exceeds the threshold of 500 persons where notification to media is required, as well as individual notification. You should conduct a risk assessment and consider the four factors:
      1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
      2. The unauthorized person who used the protected health information or to whom the disclosure was made;
      3. Whether the protected health information was actually acquired or viewed; and
      4. The extent to which the risk to the protected health information has been mitigated.

      One problem with this situation is that you have no control over further distribution of the information since it went via email to so many people.

      You cannot enforce HIPAA; most HIPAA complaints have to be filed with the Office of Civil Rights, which investigates and enforces the regulations. You may consider reporting an unauthorized disclosure to the OCR, but keep in mind if/when they get around to investigating it, they will also look at how your organization has protected PHI, if you have business associate agreements, etc., etc. You should consult with your cyber insurance carrier to understand your coverage for these types of situations. You may also have damages caused by your former employed physician.

      We are sorry you are dealing with such a situation. It is an object lesson on protecting PHI, even when you think everyone you are dealing with is trustworthy. Think about getting legal advice as you go forward.

  85. Good morning Jim,
    Thank you for such a fantastic site – very useful information. I have a question for you please… a company I know provides patient specific guides for joint implants in a PDF to surgeons. What would you say is the most appropriate way to give these PDFs to surgeons avoiding the obvious postman method? Would it be sufficient to password protect the PDF and email the PDF, or is it required/recommended that a HIPAA compliant web-portal be used for this kind of transmission?
    Thanks so much,

    1. Encrypting a pdf file with at least 128-bit AES should be sufficient to protect it from unauthorized disclosure, even if the email goes astray. Be sure to send the password in a separate email in case it does go astray!

  86. Hello,
    I found some similar questions, but I wanted to ask about my situation specifically. I work for a social services agency, and using that office 365 account, sent an email to an employee who works for the managing entity who distributes our incidental funds for clients containing an Word attachment that a college wrote on behalf of her client in order to strengthen her case for the requested incidental. The managing entity is covered in the clients consent and release of information. The email did not have any phi, but the attachment stated the clients first name and current housing situation. The managing entity employee sent me a reply that it was a Hipaa violation to send the attachment(stating she was not in the office, so I do not know where she viewed the email) without securing it in a zip file. Is she right? I received the attachment from my supervisor, so I didn’t think it was a violation when I sent it to the managing entity employee.

    1. To be a HIPAA violation, there must be PHI that was subject to unauthorized disclosure. If and email was sent with information that is not PHI, there cannot be a HIPAA violation. And if PHI is going to be attached to an email, the file should be encrypted (not just zipped) or the email should be sent using a secure email application.

  87. Thank you Jim, this is great information. I have a question.
    An insurance agency that administers health plans emailed a scanned medical record as a PDF attachment to an employee’s HR department unencrypted. Would this be considered a HIPAA breach or violation ?

    1. As the blog pointed out, the Privacy Rule requires covered entities and business associates to apply reasonable safeguards when utilizing email to communicate PHI. These days, not encrypting a file containing PHI, especially a portion of a medical record, may be viewed by the Office of Civil Rights as a violation – not reasonably protecting the PHI. I don’t think most organizations would report this as a HIPAA breach under the theory that, absent any evidence to the contrary, there is no evidence that the PHI was disclosed in an unauthorized way so the risk of unauthorized disclosure is low. Of course, how the OCR would view this practice if were utilized routinely and there was evidence of an unauthorized disclosure, could be very different. At best, it is sloppy, at worst it could become a reportable violation.

      The HR Department receiving the email should warn their business associate insurance agency against sending such emails unencyrpted.

  88. Everyone is focused on the Email containing PHI what about all of the pieces of mail that are sent out going through dozens of people that COULD intercept PHI. How many times have you seen on a news story about a postal worker dumping bins of mail into a dumpster or how many times have you gotten mail that is not addressed to you or been told that was mailed out days or weeks ago but never shows up. How is this system any more secure than electronic delivery? Also with electronic there is much more tractability of a document than in the hands of a bunch of strangers at the USPS

    1. Of course, “snail mail” has its weaknesses. A couple of difference:
      1) When people get misdirected mail, they often do not open it, but instead forward to the correct addressee.
      2) Information in the US mail is not easy to disseminate widely the way information received digitialy can be. It’s not impossible, but it is harder.
      3) For better or worse, use of the US mail or even faxing information considered more secure than email.

  89. Hi! We are a Nurse Registry with signed BAA of all of the nurses who see patients for a pharmacy.The Pharmacy obtains HIPPA consent signatures from patients. On occasion, we need to email updated document with phi to the nurse assigned to a case (we also have signed BAA). Most times the nurse is not on the same server as us. In updating our HIPPA policies, we recognize the need to do more.

    Would obtaining consent from the patient directly for our purposes and encrypting any pdf. documents be enough to safeguard ourselves against a HIPPA violation since some of those emails go to a personal email account? Or do I also need to consider the use of a secured email service?

    1. We would strongly advise you to utilize a secure email application to send PHI to your nurses, or at least encrypt any pdf documents containing PHI that you email to them. While we recommend any healthcare organization that wants to communicate with its patients via email get consent to utilize that method of communication, you would be asking for consent to use email to communicate internally among you and your staff. Your patients may be comfortable when they initiate or receive email from you, but they may wonder about the information being exchanged when they are not in the loop. Even with a consent, people may decide they didn’t really understand what you were sending, especially if the email led to an unauthorized disclosure of their information. And what do you do if a patient does not give consent? It could be very challenging to vary your communication via email based on patient preference.

      There are free encryption programs that you and your nurses can download and utilize. You can make up a simple password for encryption and decryption of documents with each nurse. This gives you a strong basis for saying you were protecting the privacy of the PHI you are handling up to the requirements of HIPAA.

  90. Good Morning,

    I am currently on medical leave from work. We have a HR outsourcing company, as well as an employee who handles a few things in office, who happens to be my sister. I sent an e-mail to the outsourcing office explaining I would like to deal with them only as i dont want my sister knowing all my business and because I see it as a conflict of interest. The outsourcing HR sent the e-mail to my sister; is this a violation of my rights?

    1. Well, there is no specific law or regulation that we know of that forbids the outsourcing company from forwarding your email to your sister. It does make you wonder who thought it was a good idea to forward your email to the exact person you did not want informed about your affairs. We recommend you contact the outsourcing company – by phone – and confirm that they understand your request and can incorporate it into their process for making your information available to other parties when it is needed and authorized.

  91. Good Morning,

    Our doctor’s office works with a medical billing company that sometimes use a password encrypted email to send PHI. The content of the email automatically deletes after a short period of time. Unfortunately our office does not have the same encrypted email software so these emails cannot be maintained on our server. I read HIPAA frowns on emailing PHI between a doctor’s office and billing company if both parties are unable to maintain the email on their respective servers. Is this accurate?

    1. HIPAA (or the Office of Civil Rights of HHS, which investigates unauthorized disclosures) doesn’t do a lot of frowning, which implies nuance in interpreting the Privacy Rule. The main concern is to get covered entities and business associates to protect the privacy of PHI, whether it is maintained on paper records or digital records. The OCR takes the position that use of non-secure email may result in unauthorized disclosure of PHI, so covered entities and business associates should take that into account when transmitting PHI. For instance if PHI sent via non-secure email is somehow intercepted and disclosed to unauthorized parties, OCR would consider it a breach, and may take the position that the fine or penalty should reflect the organization’s lack of protecting PHI against known hazards. However, if PHI in an email is not retrievable from an email application due to settings in the application, then by definition there can be no breach. There is no specific HIPAA requirement to keep electronic copies of emails on one server or another.

  92. Hello!
    We have a family member in a mental health treatment facility in another state. Because it is frequently necessary to discuss issues with them, they have and we have used e-mail. However, the facility has only one e-mail address. So all communication is available to all staff. When we e-mail the therapist, the bookkeeper has access to this information. When we e-mail about the financial situation, the counselors and therapists have access to this information.
    Is there a violation here?

    1. It certainly sounds unusual for a mental health facility to have only one email address that must be utilized by all staff and family members, etc. for email communications. There is not necessarily a violation, especially if you have agreed to accept emails and reply to them using the single address, and understand how the information is shared within the facility. The facility has a duty to limit disclosure of Protected Health Information (PHI) to staff members who need to know it, so a system where you respond to a therapist about clinical information, and the bookkeeper has access to the information, does not seem to meet that standard. If there is no way to keep the various types of communication private, you may have to utilize other methods of communication to avoid the disclosure of PHI or financial information to persons at the facility that you do not think need to know about it.

      This is another instance of the convenience of email as a communications method is at odds with protecting the privacy of medical information. Providers, patients and family members should all be aware of the trade-offs they are making with using email!

  93. Question- if a billing company has been emailing letters and statements out to an email address that is not associated with the patient, is this a HIPAA violation?

    1. The answer is, it depends. Letters and statements from billing companies that contain information on the service provided and the diagnosis (even if it is in the form of standard codes utilized in billing) is Protected Health Information (PHI). Our general recommendation is that a provider or a billing company should get authorization from the patient to send such information via “regular” email. Email not sent using a secure email application cannot be considered secure. If use of a “regular”, i.e., a non-secure email application, was used to send PHI, and there was no authorization to utilize that method, and there was evidence the email was read by someone who is not the intended recipient, that could be considered a breach in the event of a complaint to, or investigation by, the Office of Civil Rights of HHS, which investigates breaches. The OCR has even been fining organizations that do not adequately protect PHI even if there is no evidence of a breach. Right now, the OCR has not been coming after organizations that utilize regular email without authorization from the patient as breaches even in the absence of evidence that the PHI was viewed by someone besides the intended recipient, but they certainly could take that approach in the future.

      You also mention sending emails to email addresses not associated with the patient. There is no specific definition of what being associated with the patient means, but the advice about getting authorization to utilize email for communications involving PHI is the same, and the risk of an unauthorized disclosure of PHI still exists.

      1. Thank you for your response! There was no use of a secure email application used to send the email and there was no permission from the patient to email. The billing company had the wrong email address for patient and was sending letters and statements to someone other than the patient.

  94. Great article! Quick question (and sorry if I missed the answer in the previous thread). Is it safe to email using a Medical Record number, in lieu of a patient’s name? Also, what is safe to include in an email’s header and what should be avoided? And lastly, did I read that Gmail is a goo email service for encrypted email communication? I really appreciate your time and help!

    1. Instead of thinking about what is safe, try to think about how are we protecting the privacy of a patient’s PHI – and would we be proud of what we are doing if we were ever investigated or sued. Using a medical record number instead of a patient’s name may be an acceptable way to identify the person whose PHI you are transmitting via email. In general, you should only include information in an email (whether in the text or the header) that does not allow for identification of the patient. So name, SS#, driver’s license number, etc., are all things to avoid if you are utilizing unencrypted email to transmit PHI. We also recommend avoiding first name, last initial or similar short cuts since this can lead to confusion over who you are actually referring to.

      Google says gmail is encrypted, but that only applies when emailing from one gmail address to another. It is likely not encrypted when sending email outside of the gmail environment.

  95. My question is and I cannot seem to find an answer anywhere, if I DO NOT give my doctor(s) permission to put my lab results or office visits on the Internet is it still out there? Are they putting it on the Internet anyway? I have received an email on occasion from one of my doctors stating if I open it, I will have access to my visits and lab work at their office. I don’t open them, but I do wonder if someone else can.

    1. It is unlikely that your information is “being put on the internet”. It is more likely you are being asked to visit a patient portal where, once you sign in and set up your access, you can view things like lab results and office visit summaries that reside in the electronic health record system your doctor is using. You may want to call your doctor’s office and ask about the emails you are receiving, and what happens when you open one. Of course, if you open an email that was not sent with a secure email application and you find your medical information in the email, you should immediately contact the doctor’s office.

      We strongly recommend doctors and other health care providers not send health information via “regular” email since it is subject to interception. Using regular email to invite you to access your information via a patient portal that is part of an electronic health record system is ok.

  96. My concern is about my employer. I have a secretary to email a completed healthcare provider to others within my department…is this a HIPPA privacy violation?

  97. I have been having billing issues with a hospital. I have identified many errors on their part, mostly significant overcharges, but also several minor errors, one of which resulted in insurance denial of coverage until correted.

    In getting these errors resolved I have had a single point of contact, but it is clear from information I have received from that person using their secure email portal that there has been a LOT of internal email and meetings discussing my case. The nature of the internal emails any any notes taken by those in meetings would necessarily contain protected health information since that would be required to resolve the errors.

    I have requested copies of their internal emails since they are being maintained as part of my billing records, all of which contain protected health information.

    I have just been informed “because internal organizational emails are not part of the medical record, that will not be produced as part of your medical records request.”

    But it is my understanding that HIPAA defines protected health information as ANY record which includes both patient identifiable information and any information concerning the treatment of the patient. All of these “organizational emails” would necessarily contain both.

    Can they deny me access to these “organizational” emails? It would seem to me that allowing them to decide what to release and what to withhold would be subject to their internal self serving definitions rather than the broad HIPAA definition of what constitutes a medical record.

    My goal is to determine how the billing errors were resolved, and whether they were in fact resolved correctly. All I have received to date is very confusing listings of charges with items listed as negative quantities, and new charges to replace the ones removed with corrected amounts.

    Note the amount of the total overcharges was substantial, in excess of $13,000, and would not have been caught except for my believing the amount billed seemed excessive, my obtaining line item bills which were clearly wrong, and repeatedly following up with the hospital to get corrected bills.

    Is the hospital on firm ground in their position of “organizational emails” not being part of my medical record?

    Can you point me to a clear definition of information that is NOT subject to release based on patient request due to how the hospital categorizes internal documents as being exempt from HIPAA?

    1. A couple of general points:
      1) All PHI is not necessarily medical records information. For instance, covered entities like insurance companies create and maintain PHI, but that information is not part of any medical record.
      2) Hospitals and other providers accumulate PHI that is also not part of a medical record. For instance, billing information is a form of PHI, but it is not considered part of a medical record.

      Ultimately, state laws usually define what is considered part of a medical record, and therefore subject to release. In any case, it is not surprising that the hospital is saying their internal emails, while containing PHI about you, are not part of your medical record, and not subject to disclosure per your request. You can check your state’s definition of medical records information to see if the information you are seeking may be part of the medical record definition, but don’t be surprised if it isn’t.

      1. OK, if it is not required to be furnished as part of my medical record, can I assume it would be available by legal process such as a subpoena since it it for use in investigating proper billing procedures?

        This hospital has done a horrific job of accurately billing on two separate dates, and I strongly suspect that there was an effort to cover up major errors that I would like to expose. My goal is to get them to fix their system for all, not just my bills, since the insurance company PAID the overcharge without question until I investigated the line item billing and found the errors.

        THEN after submitting corrected claims I had to intervene before they repaid the insurance company and they STILL have not sent me an invoice for my coinsurance. While not ‘medical records’ in a strict sense, don’t I have a right to receive accurate and prompt responses to inquiries and don’t THEY have the responsibility to be transparent in their actions to address their serious internal billing errors, and a duty to deal with insurance companies honestly?

        1. We can’t speculate about the use of a subpoena in a legal case. Many hospitals publish Patients rights, so you might look on their website for such a list and see if/how it addresses information about billing and transparency. If you think the insurance company has paid the hospital the wrong amount, you should contact them. The insurance company should also be able to give you an explanation of benefits that shows what you owe the hospital for your care.

  98. I work at an eye drs office. we have a company gmail account we all use. i enailed my boss about a scheduling issue
    .I included patients first and last name only(no date of birth). i explained pr had a red swollen eye.
    she pulled me aside and said it was a hipas violation. Is this true?

    1. There are several factors at play here.
      First, Although it is minimal information, a patient’s name and the fact that they are receiving treatment for a condition like a swollen eye, from a specific provider, could be considered PHI.
      Second, you describe the gmail account as one you all use. Including PHI in an email accessible to everyone in the office may violate the minimum necessary standard: you must disclose only the minimum information necessary and only to those who have a need to know it.
      Third, it is not clear if your boss’s email address is also a gmail account. Google maintains that emails sent from one gmail account to another are encryped. Providers may choose to rely on Google’s assertions on that issue, and include PHI in their emails, but it is doubtful Google will defend you if an email is intercepted and the information is disclosed to someone not entitled to have it. While it is unlikely any particular email would be intercepted and PHI disclosed to someone not authorized to obtain it, the risk is not zero. That’s why the OCR advises providers to get an informed consent (meaning patients understand the risk of disclosure of information in an unecrypted email) before authorizing a provider to communicate with them about their medical care via email.
      Fourth, using shorthand methods to identify patients, such as initials, carries the risk of mis-identification of the person whose information is contained in the email. Use of a unique number to identify the person to whom the information applies is much safer.
      We recommend you have a discussion in your office about communication via email, getting patient permission, adopting a secure email application, etc., and do your best to protect the privacy of your patients’ PHI. That is, at bottom, what HIPAA requires.

  99. hello,

    I was having trouble getting a prescription filled with a new benefits package offered from my employer, prior there was an introduction meeting with HR describing the prescription plan.

    trying to get my script filled I ran into problems with the new prescription plan, after a few weeks I reached out to HR and they said they have a third party that deals prescription problems and he would email me the contact, I soon received an email with contact person and called, weeks had passed and I saw the HR person and he asked how things were going, I sent him a copy of an email describing my doctors frustration, include on the email chain were the HR director and HR staff member the third party person, HR responded and said third party person is off today.

    at the end of the day a second third party person respond to the email chain stating I should call the pharmacy and listed the number along with the medication I was trying to get filled. hence telling my employer the medication and doing the exact opposite to what they were hired for. I wrote her back and said, thats for violating my HIPPA rights, she then sent an email Recall, which failed. we are using Microsoft exchange server at work and i read that recalls dont work if the person is not on the same sever.

    the third party then wrote me privately stating she did a recall and said she was sorry. then I asked what was happening with this HIPAA breach and what was being done. HR wrote back and said the emailed was recalled so no information was compromised.

    I asked if he seen or had or had viewed the email. he responded and said any email seen or not was deleted or removed.

    what should they be doing as my condition is ADA illness and also not something I want to be prejudiced with from my coworkers.

    what should I be doing and what should they be doing?


    1. You are experiencing first hand the pitfalls of using email to discuss medical information that you want to share – but selectively. It can be construed that by initiating an email with the information you furnished, you agreed the other party could utilize email to further correspond about your request. And if the only PHI discussed in the email was PHI you furnished, it is not a HIPAA violation by a covered entity.

      What you should do is inform the third party prescription management company that you no longer want to send or receive any emails to or from them about your medications, and let them know how you want to receive communications, e.g., by phone, by mail, etc. You should also ask the HR department to delete copies of any emails in this chain, and to not use email to communicate with you about PHI or your medical condition(s).

      A recalled email does not mean that the contents could not have been intercepted and diverted prior to the recall. However, if the only information in the emails was originally furnished by you, then arguably there was no unauthorized disclosure of PHI that was created or maintained by a covered entity. Of course, you can also lodge a complaint with the Office of Civil Rights, the HHS agency that investigates unauthorized disclosures of PHI. If they think your complaint has merit, they would contact the entity which has you PHI and ask for an explanation. They may take a different view than we are here. In any case, good luck!

  100. At our office there are multiple members working on the same accounts, but we work different shifts. At the end of the day we leave a list on our desk with account numbers only to let our co-workers know which accounts have been worked. Is this list of account numbers by itself, with no other PHI a breach of HIPAA? We are in a closed office with rare visits from other hospital employees or patients.


    1. Account numbers on a piece of paper are probably not in and of themselves PHI. One question would be: is there some other method for you to leave such a list that is more secure than a piece of paper on a desk, e.g., a file in a shared electronic system?

  101. Are you familiar with the VA MyHealtheVet program? A military veteran VA patient can sign up for this program and it can allow them the ability to print off certain medical records as well as allow them to ‘securely message’ their medical care team. I have a problem with this program and feel there is a violation, as a non-medical person, I found out, is able to actually view the what I thought was private communication between my medical team and myself, under the ‘guise of forwarding to the correct person.’ I was told that the terms and conditions that state “secure messages may be screened by admin staff before being forwarded to a health care provider.” WELL…call me crazy, but if I am messaging my team directly, WHY is this person looking at my emails to my doctor!?

    1. We are not familiar with the VA’s MyHealtheVet program. It sounds like a useful tool for military veterans utilizing VA treatment facilities, but obviously the terms and conditions are making you uncomfortable about using it for information you only want communicated to your medical team. You might ask them at your next visit if there are any options you can utilize to achieve the level of confidentiality you are seeking.

  102. Jim,

    I really appreciate the information that you share. I have a few questions.

    1. Can we send ePHI to a patient via unencrypted e-mail if they sign a form saying that they accept unencrypted emailed epHI? Reason I ask, is we really don’t want to e-mail any ePHI, but if a patient demands it could we then state it would be at their own risk?

    2. Does encrypting e-mail mean using a system that will encrypt it via key, and the recipient’s end will need access to the key (or password, however we have it set up)? Or if you’re sending it via Outlook OWA over HTTPS is that encrypting it?


    1. 1. We always encourage providers to be the knowledgeable party when it comes to email and PHI. You should get a patient’s preferences/consent on several communication methods, including email and leaving messages on answering machines, for instance. We recommend you advise patients unencrypted email can be intercepted and read by other parties. If they agree that you can use it, then you have given fair warning about the possible issues related to it.
      2. Encryption can be on multiple levels.
      a. Sending an email with PHI via an encrypted channel like https makes it unlikely it will be intercepted and viewed when it is sent. Of course, that does not protect against making a mistake in the address, or someone at the correct address, other than the patient, getting the email and looking at the PHI.
      b. Encrypting attachments with PHI provides more protection since a password (or key) is needed to open the file. There are several ways to accomplish this. You can use a pdf application to password-protect a document file. You need more than a reader application however to do this, but the person on the receiving end may still be able to open a pdf file with the password. Always send the password in a separate email, by the way. You can also download and install free encryption software, but the recipient of the email has to have the same application, and you still have to send them the password for the file.

      We don’t know enough about Outlook OWA to say if it is suitable for sending PHI, or not.

    1. A person’s initials would not usually be enough to identify him or her, so it is most likely not going to be considered an unauthorized disclosure of PHI. Of course, depending on how much other information you are including about the person and the possibility of the email going astray or to the wrong person, it is always possible that the initials are enough to guess the identity of the person’s whose PHI you are discussing. In any case, it is also possible to confuse the intended recipient of the email about whom you are really talking about, since many clients may have the same initials. Using a unique identifier number would be a better solution, if there is one associated with the client. Or better yet, invest in an encrypted email application and sleep better at night!

  103. I am deaf and rely on email for communications with my audiologist. She claims she cannot respond by email due to HIPPA laws. If you are deaf, I believe it falls under the category of “special considerations.”

    1. Sharon, HIPAA regulations do not prohibit the use of email to transmit Protected Health Information, but you should know it cannot be considered secure. When patients want to use email to communicate with physicians, we recommend the physician get an informed consent for use of that method of communication. This means recognizing that the use of non-encrypted email cannot be considered secure, and deciding to accept the risks of possible unauthorized disclosure anyway.

      I hope this helps!

      1. I work for a BA that works with patients. Is it permitted to forward PHI in an email to a Next of Kin or other individual email address at the patient’s verbal request or is written authorization required?

        1. First question is, what does BA stand for in your context?

          We recommend you get documentation whenever possible of a patient’s desire to receive emails with PHI, and to have those emails also shared with others such as next of kin. You could do this by sending an email to the patient noting that he or she has asked you to share Protected Health Information with the next of kin (and name that person) at a specific email address. Ask for confirmation that this is the patient’s desire, and that he or she understands that unencrypted email cannot be considered secure. Assuming the patient responds affirmatively, then you have your authorization.

    1. Please keep in mind that we are not attorneys, so this discussion may not be what you would hear from a licensed attorney. A private claim of damage or damages would be a claim brought by an individual who has suffered some wrong (or tort). Patients whose protected health information has been disclosed to a third party in violation of HIPAA cannot sue to enforce the HIPAA laws themselves. Only the government can enforce the laws and regulations. Such persons may still have a claim for damages to their reputation, or other damages (loss of job, for instance) if their PHI is disclosed without their authorization to someone who was not authorized to have it.

  104. Jim, I work at a Healthcare sharing ministry. It is basically like a reimbursement program and your article was a great help in understanding the HIPPA compliance. I was just wondering if it is a breach in HIPPA compliance if we request members’ medical bills, and receipt via email or via text message for convenience? Thank you in advance!

    1. It is not a HIPAA breach if the patient agrees to send such information via email. We recommend getting the patient to sign a consent form agreeing to the use of email to send medical information such as bills/explanation of benefits, acknowledging unencrypted email is not a secure method of sending information. We do not recommend attaching documents to text messages since it is much harder to maintain a record of having received the information via text.

      If people do not want to use email, have them send information via fax or snail mail. Good luck!

  105. Hello! I am part of a third party organization hired by hospitals for billing purposes. I am reaching out to see if you have any information regarding the hospital passing on patient’s email addresses to be used by our third party for initial patient contact.There would be limited amounts of PHI attached to the email, including patient’s name, account number, and the hospital they were a patient at. We do have a signed Business Associate Agreement with the hospital, so I’m trying to figure out what sort of rules/regulations are in place for us, as a third party, using that information to contact the patient. Thank you!

    1. Lindsey, we take a conservative approach to email and PHI, no matter how minor in the eye of the provider (or one of it’s business associates). Associating a person has having been a patient at a hospital may be a major issue in the eye of the patient – and it is their viewpoint that matters. As we pointed out in blogs on email, it is best to have the consent of the patient to include any PHI in emails. At best, an initial email should be very brief, inquiring if the patient is willing to use email to correspond with your organization, which is working on behalf of the hospital.

  106. my childs teacher called her dr trying to get infoe without are permishion is this breacking the hipaa rules

    1. Teachers are not usually employees of covered entities (health care providers, insurance companies, etc.). They cannot violate the HIPAA regulations since the regulations do not apply to them. A physician who releases information without your authorization, unless the release is permitted under the HIPAA regulations, would be violating HIPAA and making an unauthorized disclosure. In most states, physicians are required to report things like suspected child abuse, but those reports go to law enforcement officials, not education officials.

      I hope this helps answer your question.

  107. a provider reaches out to another provider saying this patient wants to learn more about the study. Either the provider can send the demographic info. via email or tells the other provider to look at the phone number via medical records although that privider has not ever worked with that patient-rather looking up demographic info for potential study canidate. Is that a HIPPA violation?

    1. Laura, we do not recommend sending demographic information via email (unless it is encrypted) since it is subject to interception and diversion. It is not entirely clear what the relationship is between the providers, or how the second provider can access the patient’s information directly. In any case, we think a referral from one provider to another for the purpose of evaluating a patient for participation in a research study fits into the category of sharing PHI for purposes of treatment, payment or operations. Therefore, it is not a HIPAA violation.

  108. HIPAA violation with email and phones. What are the penalties if a client’ name is in an email? What can happen with a violation like this?
    Let’s say at work, I email one of my co-workers a treatment plan and it has a clients name on it; and I can still access that email at home, because I have the app on my phone, I can also get my emails on my computer at home because I can log into my account from my computer at home, what’s the difference in the violation? I can still see the treatment plan with the clients name on it.
    Also, isn’t it a violation to have our email connections on our phones? and having them with us; out in public and at home, answering our phones speak through airwave?
    Is it a violation to send things to your personal email at home, and if so, isn’t it just as bad if we have our phones and our email on our phones that is connected with work? So that is confusing to me, not allowing you to send them to your personal email, yet, I can get my work email at home on my phone or computer, what’s the difference? And what kind of violation is it or the penalty of it?? just want to protect myself.

    1. Jean, it is not a HIPAA violation, per se, to sent PHI (like a treatment plan) via unencrypted email. It is highly inadvisable, however, since if the email were intercepted by someone to whom it is not addressed, you (or the organization you work for) could be found to not be protecting the privacy of a person’s PHI. This could be true if your organization had no policy on encrypting email, or if they had a policy and employees ignored it. It is also advisable to get patient consent for using email to communicate with patients, or between staff members about patients. Of course, it is best to use an encrypted email application for sending emails with PHI in them.

      The same principles apply whether you are getting email on your phone or your home computer. If you receive an email with PHI at home, or on your phone, you should protect access to your phone or home computer so if your phone is lost or your home computer is stolen, the thieves cannot get to your email or files without getting through a strong password, or even a facial recognition access method.

      If you google “encrypted email applications”, you will see lists of the “best” applications of 2018 and even some free encryption applications that you can download. Keep in mind, encryption has to be done by the sender, not the receiver.

      And don’t forget about texting. SMS texting (the most common kind), cannot be considered secure for purposes of sending PHI. There are also applications that will encrypt text messages, if those are used routinely for sending PHI.

      Finally, I don’t think talking about PHI on the phone leaves you at risk, unless your phone is tapped by someone. Of course, discussing PHI on the phone in a setting where bystanders may figure out who you are talking about is not protecting the privacy of PHI, either.

      Good luck and we hope this helps!

  109. I worked for a young woman who can not get my work encrypted email set up with our corporate office for one reason or another. She has begun sending confidential medical plans to my private email. I have spoken to her about my concerns regarding security but, she assures me that this is not an issue. The client’s nor the parents are aware that these documents are being forwarded to private email addresses.

    Is this a violations?

    1. Sarah, you don’t define what a “medical plan” consists of, but let’s assume it contains Protected Health Information. The HIPAA regulations require covered entities to protect the privacy of PHI. Organizations (or individuals) that fail to do so can be fined or even prosecuted by local district attorneys. Prosecutions usually only happen when violations are egregious, like selling PHI. These days, the Office for Civil Rights (OCR) in the US Department of Health and Human Services has been known to fine organizations that engaged in unsafe practices, even where there was no evidence that PHI was intercepted or received by a person not authorized to receive it. It just wasn’t protected sufficiently to minimize the risk of an unauthorized disclosure.

      In this case, if we were investigating the situation you describe, we would consider it to be a potential breach. This is because non-secure email cannot be assumed to have never been viewed or intercepted by an unauthorized party. However, in doing a risk analysis, we might also conclude this is a low-risk event since the information was sent to someone entitled to receive it (you), and there is no information indicating it could be retained or redistributed by any other party. But that only works for the first time it happens! If an organization continued to send PHI using non-secure or unencrypted email after an investigation of the first incident, they could very well face sanctions by OCR for willfully continuing a practice that does not protect the privacy of PHI.

      There are other options the person emailing information to you could use. She could encrypt the file itself and then email it to you. There are several free encryption programs available that the two of you could use to send/receive files sent using non-secure email. You just have to send the password in a separate email. If the medical plans are pdf documents, those can be saved as a secure document, which encrypts them as a pdf. Again, you would need to send the password separately.

      You many want to contact the Privacy Officer of your organization, anonymously or personally, to let them know about your concerns. Good luck!.

      1. My brother has a medical clinic and he wants to make sure that all of the records are organized. It was explained here that there is a software that ensures that privacy of the records. Furthermore, it’s recommended to go to trusted businesses when considering using HIPAA software.

        1. Saraih, you don’t mention if your brother’s medical clinic records are in electronic form (like an electronic medical record) or on paper. In any case, there is no software application that “ensures that privacy of the records”, or so-called HIPAA software. The unauthorized disclosure of any Protected Health Information (PHI) maintained in an electronic record (or paper record, for that matter) can happen if staff do not observe the policies of the clinic with respect to protecting the privacy of the PHI in the records. Electronic medical records systems are designed to accumulate and maintain the medical records of patients. They also should control access to staff members who need to utilize the information. But the systems to control access can be defeated by “phishing” emails to staff who may not even realize they are revealing information that allows a hacker to gain access to information using the staff member’s own logon credentials. Software cannot be “HIPAA compliant”, only covered entities (like medical practices and hospitals) can be HIPAA compliant. They do that by using software, that is part of the electronic health record system, and includes provisions designed to control access to PHI, and they train staff to avoid things like opening emails from someone they do not know, sharing their passwords, etc.

          I hope this helps you understand the HIPAA environment and requirements a little better!

  110. HI Mr. Cook. I have a question. If I sent an e-mail to my DR./LPN regarding my leave of absence information including a document with my case info on it that also includes my case ID and they forwarded it to the manager of the clinic without my knowledge is that considered a HIPAA violation?

    1. Barbara, you don’t specify if the clinic you are referring to is the place where you work, or the clinic where the Dr./LPN work. It is also not clear what the case info you reference includes, or who issued your case ID.

      If the Dr./LPN shared the information with a clinic manager where they work, that would unlikely to be a HIPPA violation since protected health information (if that’s what was in the document you mentioned) can be shared internally for treatment, operations and payment reasons.

      If the information was shared with a manager where you work, then there are additional considerations. For instance, if this is a worker’s compensation case, and the Doctor you saw was completing a doctor’s first report for an illness or injury you suffered, it would be appropriate to send such information to your manager. If the information was PHI about some other issue, then its possible it should not have been shared with your manager.

      You should check further into the nature of the information, and possible ask for the name of the Privacy Office at your doctor’s office to help you sort this out.

  111. A patient email me a letter that she wrote and ask me to fax it to the number she gave me is that hippa i had permission from the patient and she email it to me?

    1. Tina, you don’t specify if the letter contained PHI, or where she wanted it faxed. If it did not contain PHI, then there is no HIPAA issue with faxing it. If it did/does contain PHI, and you had her permission, by virtue of her request to fax it somewhere, then we do not see there is an issue with respect to HIPAA. You should keep a copy of her email and the letter in her chart (or some other file, if you don’t think it belongs in a patient chart) for future reference, in case there is a question about why you did it.

  112. If you send a email to a Doctor and Mark it Personal and Confidential should the Doctor read it first before any of the staff read it?

    1. You have put your finger on one of the many issues surrounding the use of email for communications between patients and physicians. Physicians who are sending email, especially email containing protected health information of patients, to a patient’s email address don’t know if other persons, e.g., family members, have access to that email account, also. And patients sending information they want to be treated as confidential only to the physician have no idea if some or all of the information in an email will only be viewed by the physician. And of course, email sent from one server to another cannot be considered secure since it is subject to interception as it moves across the wires.

      The best thing to do is to understand the risks of using email in your communications with physicians. Ask the office who has access to email directed to the physician. If the physician has a portal as part of its electronic health records system, ask who gets messages you leave for your physician in the portal. Ask if the office has a secure email application you can use to send email to your physician. Secure email applications protect the contents of your email when you send it from one address to another. If you are still concerned with limiting the information you are sending to the physician, send it via regular mail, marked personal and confidential, and verify mail addressed like that will go to the physician first.

      Good luck!

  113. Is it against HIPPA to fax medical records to another provider but whithin the same company but not for treatment purposes simply because the fax machine is broken? Please, advise

    1. Rebeca, faxing records from one provider to another for purposes of treatment, operations or payment is permitted under HIPAA. It is not clear why a broken fax machine resulted in faxing the records to another provider, but unless it was done as part of an unauthorized disclosure to someone who did not need the information, it is probably not a HIPAA violation.

  114. My employer would like to start emailing bills. The bills now include the patient name, address along with the date and the procedure that was done. Does this have to be sent via encrypted email?

    1. It sounds like the information in the bills would include PHI. When emailing PHI, we recommend a couple of different approaches:
      1) Get permission from the patient to email the information using a “regular” email application. Home email addresses patient may use can be shared, and there is no blanket exception to revealing PHI to other family members. Some patients may use business email addresses, which are always subject to access by an employer. Don’t use email if the patient objects.
      2) Use a secure email application which will encrypt the PHI, and confirm the email address the patient wants to use to receive bills.

      The obligation of a covered entity is to protect the privacy of patients’ protected health information. If your employer was subject to an investigation because the use of email resulted in an unauthorized disclosure, he or she could be judged to have not protected the privacy of PHI, and fined.

      1. I am visiting the website of a medical practice and they have a “Request an Appointment” form on the site asking for first name, last name, email address, phone number, and a ‘message’ text box. Presumably, this information gets emailed to the practice and they will email or call to arrange an appointment or answer questions.
        Would the contents of this form be considered PHI? I would suggest, “no” because I am not a patient of the practice (yet) and there is no medical information being exchanged….is that right?

        1. Dave, you are right that the information you describe would not be considered PHI at the stage of entering it on an information form since it is not medical information created or maintained by a covered entity like a medical practice. Some people do add things about the reason they are seeking an appointment, which may be medical information. That is not an issue since a patient can disclose their own information at their discretion. Typically these type of information forms are available on “https” channels, so the information is encrypted in transit.

          I hope this helps!

          1. It does help very much – thank you Jim! This is a tremendously helpful website and Q&A. Thank you for putting in all the time to maintain it.

  115. My customer had my email address in her out of office message. Their daughter’s doctor’s office saw my email, and sent me the daughter’s note to get out of school. I know that the daughter is under the age of 18. When I sent it back to them stating that they emailed the note to the wrong person, the doctor’s office continued conversation and informed me that they weren’t able to reach my customer or her husband and asked me to forward the note to the husband. Is this out of HIPAA compliance?

    1. Well, it depends on exactly what was in the get out of school note. The more information on the reason for the absence, e.g. the condition of the daughter, the more likely it is to be protected health information. For some people, just the information that someone is visiting a doctor of a certain specialty is information they want kept private. Even the information in this case was not PHI, this is certainly a poor practice on the part of the doctor’s office. We encourage doctors and patients to specify the methods they want to use for communication besides phone calls and US mail. Sounds like that could be a good suggestion for your customer.

      1. I have a Question.
        If my employer sent my co worker an email with my personal information regarding my FMLA, is that consider an HIPAA violation? Can I file an complaint, or even a lawsuit?

        1. Personal information created or maintained by an employer is not necessarily Protected Health Information. Unless your employer is a covered entity (hospital, physician, insurance company, etc.), and the information about you was created and maintained as part of the employer’s role as a health care provider, it is not PHI. Even if it is PHI, your employer may have a legitimate reason to share it within the company for company purposes. Here is a link to the HHS.gov website that addresses the issue. https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html

  116. My sister in law was recently an inpatient. A pet scan was ordered for her to schedule on her own. I work for the hospital where she was admitted. Due to the nature of the test and a new very upsetting diagnosis she asked me to schedule this for her. She asked the nurse to fax the rx for the pet scan to my secure fax so I could get this scheduled. The nurse refused stating it is a hippa violation. My sister in law said I am giving you permission to fax it. The nurse refused. Would this have been a hippa violation? I came to the hospital and my sister in law handed me the order.

    1. Information sent via fax it generally not considered to be subject to interception the way information in an email may be. However, many fax applications are now web-based, so the information goes out through a server just like an email. While it is not a HIPAA violation to fax the order somewhere, it is also true that the nurse in this case may not have been as assured as you are that the information was going to a secure fax, and it is also true that mistakes happen when humans are entering phone numbers into fax machines. Many unauthorized disclosures result from faxing information to the wrong number. It may have been inconvenient for you to come to the hospital to get a copy of the order (and why wasn’t someone on the hospital staff arranging the appointment anyway?), but it is not uncommon for staff to be conservative about sharing PHI that way. Of course, it is easier to say it is a HIPAA violation than to explain the possible risks of faxing information as I have noted above.

  117. How would this play in for an active duty service member having their record sent from a Medical treatment Facility to their Claims representative with the VA or Veterans of Foreign Wars (VFW) Rep? I am trying to have it e-mailed over across government encrypted e-mails (one is a .gov and the other a .mil) which both entities have. The treatment facility refuses to send my record to this entity even upon my request. Any help including some sort of reference to show them would be helpful. I have been looking up the official documents for hours with no real hard evidence stating this is approved.

    1. Chris, we can’t verify the situation of encryption of emails from one government domain to another, nor do we know why or if the medical treatment facility has a policy of not emailing treatment records to you or anyone else. Here is a web address where you may be able to find more information about how military medical facilities protect your PHI, and who you can contact within the Defense Department for assistance. In the civilian world, many times medical providers simply say they cannot send PHI electronically, when in reality they just don’t want to bother figuring out if sending the information would be permitted or not. Try contacting the Privacy Officer mentioned in the link for more definitive information. https://www.health.mil/Military-Health-Topics/Privacy-and-Civil-Liberties/HIPAA-Compliance-within-the-MHS. Good luck!

  118. I am wondering if it is legal for a car insurance company to send out a list of everyone of his clients email address to all of his clients without there permission.

    1. Theresa, information like email addresses that a car insurance agent has and distributes to all of the addressees without permission may be covered by state privacy laws. You could research the state privacy laws of your state to see if email addresses are considered private information that may not be disclosed without permission. Good luck!

  119. I have a question about HIPPA regarding a Dentist refusing to email Bills to me. The name of the dental group is Bright Now Dental located in California. They never gave me a copy of the Bill at the time of Services Rendered. I had 2 Crowns replaced & deep cleaning for $1,967. I asked them to send me an EMAIL copy of my BILLS they said NO because of the HIPPA LAW Compliance. I read your website but I think it is perfectly legal because I already sent Bright Now Dental copies of my Dental X-Rays from another Dentist. I believe they are in VIOLATION of the HIPPA Law & are just using it to forestall my claim that they OVER-CHARGED me. Many Medical Providers blame everything on the HIPPA Law these days. It has become a CATCH ALL for everything.

    1. Paul, you are right that many medical providers refuse to use electronic methods to communicate with patients, claiming it is a violation of HIPAA laws and regulations. Of course it is not a violation, per se, but we do urge patients and providers alike to be cautious about the use of electronic communications like email, and to understand the risks. Unencrypted email cannot be considered secure, so we encourage providers to get written consent to use unencrypted email when they are sending protected health information, which includes things like detailed bills, to patients. Or they can use encrypted email applications which encrypt the information during transit across the internet.

      You do have a right to request that a provider communicate with you in alternate methods, in this case via email. You can send such a request to the dentist’s office, attention to the Privacy Officer. The dentist at least must consider your request. If you don’t get an answer, you can complain to the Office for Civil Rights of the Health and Human Services Department.

      You might also ask for a copy of your bill via mail, and send a complaint to the California Dental Board if the dentist refuses to give you a copy of the bill.

      Good luck!

  120. Yes I have a problem have a problem with LabCorp who did my blood work told me that they do not have to prove to me that that is my blood and that those are my results can you please clarify the HIPAA law for me something that I can show them to show that they absolutely have to show me how they know that’s my blood and that those are my results they also have my blood from a year or two ago so they should be able to test the markers and show me that the results they gave me are from my blood will you please email me the HIPAA law so I can take it to them and make them show me that that is my blood and those are my actual results my email address isjimmybentley0@gmail.com my name is James Bentley thanks for your consideration

    1. James, HIPAA covers the regulations describing how Covered Entities, e.g., a laboratory, have to protect the privacy of your protected health information, your medical records for short. The regulations do not have any provisions for requiring laboratories to furnish proof that the blood they collected and analyzed was actually yours, and the results are the results related to your testing. HIPAA gives you the right to request copies of the reports of the testing they have done recently and in the past. Here is a link to the regulations that you can explore.link

  121. Can an HR employee for a professional sports organization access players (other employees) emails to send an athlete survey for their own personal MBA research study.

    1. A professional sports organization is not a Covered Entity under HIPAA, so the only thing that would apply is any internal policies on the use of names, addresses, email addresses, etc. by staff for official or unofficial purposes. I would think getting permission to use the email of players for a personal project is the minimum you would do.

  122. If I send an email with the subject “For Dr. Torres Only” and I get an email response from Dr. Torres’ nurse, would this be considered a HIPAA violation?

    1. Tony, this is unlikely to be considered a HIPAA violation. You don’t mention the email address you used to send the email, but it would not be uncommon for emails that come to a physcian’s office to be screened by a staff member prior to being read by the physician, or for physicians to direct staff to answer an email. You may want to ask Dr. Torres if there is a way for you to communicate with him alone, and not have your email (or “snail” mail) read or opened by the staff first. In any case, covered entities like physicians have wide latitude to share protected health information for treatment, payment or operations purposes within their own organization. Fortunately, most office staff are aware of the requirement to maintain the confidentiality of patient information, too.

  123. Hello :
    I didn’ t find any rules for HIPPA, when you are sending patient”s name and birthday ONLY and within office.
    Por example :
    If I found that the name or birthday is and we need to corrected.
    Can you please explaining this to me?
    Thank you so much !

    1. Rosa, the definition of Protected Health Information includes:
      “Individually identifiable health information” is information, including demographic data, that relates to:
      •the individual’s past, present or future physical or mental health or condition,
      •the provision of health care to the individual, or
      •the past, present, or future payment for the provision of health care to the individual,
      and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

      So name and birthdate are common identifiers that could be used to identify a person. However, by themselves they do not constitute PHI, unless something about the provider the person is seeing can be inferred from where the email comes from, e.g., the name of the practice.

      In any event, if you are sharing a name and birthdate within the office by email, and the email message is contained within a server for office email, I do not think you would be accused of not protecting the privacy of even that minimal information. If the sharing via email goes to email addresses that are not within the office, that could be a different story.

      We hope this clarifies the situation for you!

  124. Hello there, I have a question about sending out an email to patients about an Open House Event. The email itself is not concerning their individual medical health but an invitation. Does this violate HIPPA laws?

    1. We don’t think an email from a provider about an open house would result in a finding that the provider is not protecting Protected Health Information, BUT we do recommend you send it so that the email addresses of all the other invitees are not visible to each other. We have seen situations where patients objected to other people knowing they were a patient at the provider after receiving a mass email. While it’s true anyone who came would be seen by other patients, people also have the right not to come if they are very sensitive about the issue.

  125. I have been using The Einstein portal to message my doctor for the past 4 years or so. She has left the practice and now none of those emails are viewable to me. All of the documents I uploaded and had dropped off to my doctor at the office that she uploaded are no longer on there. Could someone please explain if this is legal? It’s bad enough that the new practitioner is non-responsive to any forms of communication, I have no way of knowing if this is A.) legal or B.) how to access the documents and my messages to bring to my new doctor.

    Any help would be appreciated.

    1. Kerri, I am going to assume the Einstein portal you are referring to is the patient portal offered by Einstein Healthcare Services (EHS) in Pennsylvania. If that’s the case, and if your new doctor is also part of that network, you should ask the new doctor (or his/her office staff) how you regain access to the information you have previously supplied. If your new doctor is not part of the same network, you may have to contact the Health Information Department (Medical records) at EHS to get a copy of your medical records to take to, or be sent to, your new doctor. You can also contact the Privacy Officer of the organization to help with getting access to the information you are seeking.

      The medical records a physician creates, including information/documentation furnished by a patient that are entered into the medical record, are, in most states, the property of the physician (or physician group). You are entitled to a copy of the records, but you have to follow the procedures the physician has to obtain a copy. These days, messages from patients are usually included in the medical record, but not always, so that specific content may not be available to you.

      The Einstein Healthcare Services website has several links under the Patients and Visitors tab where you can find phone numbers for the Medical Records and Patient Advocates offices. That would be a place to start if you can’t get answers you are seeking from the office staff.

  126. Do patients have the right to obtain emails sent from provider to provider within the practice if their care is being discussed?

    1. If the emails have been incorporated into the medical record, then they are subject to disclosure upon patient request. But there is no requirement to put copies of emails between providers in a medical record. Many physician practices make a record of phone calls and other communications from patients, and the response to those communications. But emails between providers are more like conversations between providers. It is up the the provider whether to include emails from other providers in the medical record.

  127. Question: I want to send all my patients a “I am retiring” email. As a mass email with many emails. If other patient email addresses are viable, Is that bad?

    1. Ms. Priddy, whether it is bad or not is not within our purview. 🙂 What we have seen previously were situations where a physician was leaving a practice and sent a mass email to all the patients in the practice advising them of his new practice location. All patients could see everyone else’s email address, and of course, were potentially able to identify other patients as members of the practice. This was very upsetting to some patients, and they let the practice know about their unhappiness. So our recommendation is not to utilize a mass email where everyone can see everyone else’s email address.

      If you are using Outlook, you can send the email to yourself, and put all the other email addresses in the “Blind Copy” (BCC) line. If you are using a different email application, you will have to investigate how to do that in that application.

      Good luck in your retirement!

        1. A finding of a HIPAA violation would eventually be a judgement call by the Office for Civil Rights, which would be the office that would investigate a complaint – if they received one. Only local district attorneys can prosecute an individual for privacy violations under HIPAA. There have been relatively few prosecutions for such violations, and the cases have usually involved egregious violations like identity theft or selling information about celebrities.

          However, people can sue for damages if they can prove damages due to release of protected health information, with some courts using HIPAA as a standard for determining if a provider was negligent in protecting the privacy of an individual’s health information.

    1. Deidra, you don’t specify the type of information you would be scanning, what type of document is being scanned (if it is a form or other document) or how it would help to have it on your phone. We would not recommend scanning anyone’s protected health information, as that term is defined in HIPAA, into your phone. Phones can be hacked, and they are in general a very insecure device to keep PHI, or even just other people’s personal information, in. Also, the usual way to get images off a phone is the text them to another phone, or attach them to an email. SMS texting is not secure, and any PHI being emailed should be encrypted to protect the privacy of the information. You can probably download an application to encrypt files on your phone, but that certainly makes it more complicated to access them somewhere else later In short, whatever element of convenience scanning brings looks like it is easily outweighed by the complications and potential liability of an unauthorized disclosure of the information.

  128. Can we send medical records to a patient’s work email address? We usually tell them that we need a personal address as they technically their work email is not theirs/not private. But, we currently have someone stating that it is her right to have her records sent to her at whatever address she provides to us.

    1. Nikki, the patient is correct that she can request communication via an alternate method, and a covered entity is required to accede to such a request. It certainly is a questionable choice since, as you said, a work email is not private. We would recommend you document the request in your records so if there is any question in the future that it was requested by the patient, you have evidence that it was – even if that evidence is a contemporaneous note you wrote recording the request. Here is a link to an FAQ from HHS.

  129. I was having trouble with my OB doctor, who had me in tears. I emailed my primary care physician about the experience and then asked her a follow-up question about the online test results from my OB.

    I just emailed my OB to ask the status of the referral to a specialist that she was going to look into. Her response was that she read the email I sent to my primary care doctor (both are Kaiser doctors) and I didn’t say very nice things about her so she assumed I would get care elsewhere. Is she allowed to do this? The email wasn’t sent to her. Can a doctor open an email to another doctor just because they share the patient?

    I feel like she breached a huge privacy rule and feel so betrayed by her.


    1. Ms. Clark, it is common in systems like Kaiser, and other large, multi-specialty medical groups to share an integrated electronic medical record, and for communications from patients to be recorded in those systems. This is usually a positive thing since providers can see the evaluations and treatments patients are receiving from other physicians, as well as the communications from patients – no matter the subject matter. It is unlikely an agency like the Office for Civil Rights, which evaluates unauthorized disclosures that are reported by providers or patients would find this to be an unauthorized disclosure under HIPAA.

      A physician assuming that you are seeking care elsewhere, and not following up on your potential need for referral to a specialist is a different matter. You may want to file a complaint with Kaiser (https://healthy.kaiserpermanente.org/health/care/consumer/locate-our-services/member-services/submit-a-complaint), or contact Kaiser with a concern about the quality of care. You can find information on how to do that at https://healthy.kaiserpermanente.org/health/care/consumer/center/!ut/p/a1/hZBPT4QwEMU_yx44lk75Z_HGmrgBVNxoXOzFdLFlidBi6S7Zby-w8WCicZJJZpL3fpl5mOESM8VPTc1toxVv551Fb7fZU7FekwSKsAghvQ83cRY9eHBzhXc4w6xu9X4Rvx6s7a8dcGDs-0orK5StphbGAcy4sU3VClzKd04plQR5UniIEAGIkhgQAAkCKeNAVP6_tMukeDcBP4-8bewZDVwKe56tidr7tMbMCCmMMO7RTPfNvOECHEe31rpuhVvpbsL9YjnoweLyp3L6ly2RgJ9ul0g2jxFASvPn_CXOfQDvW_BHJYD7jp799nQnduhjm6xWX7rAwc8!/dl5/d5/L2dBISEvZ0FBIS9nQSEh/#anchor1.
      Good luck!

  130. ER MD pulls out cellphone in front of lobby of patients takes picture of a requisition/order of a paticular patient with the whole name, dob, age, sex, medical record number, account number, exam
    exam reason. and uploads to his email and sends it to people not involved in the persons health care. i.e. administration and management. Is this a hippa violation?

    1. There is a two-part answer to your question.
      1) HIPPA permits use of a patient’s protected health information for treatment, payment and operations, without authorization. So sending the information to persons in administration or management of the ED MD’s group, or of the hospital, could easily be related to the payment for the service or the operations of the covered entity of which the ED MD is a part.
      2) We do not recommend sending PHI using unencrypted email since such email is subject to interception as it moves across the digital ether. Such interceptions may be exceedingly rare, but they cannot be ruled out. So we advise providers to utilize a secure email application or get the patient’s consent to have his/her information sent somewhere by email.
      So while this practice is not wise, it is unlikely the Office for Civil Rights, which investigates HIPPA violations, would investigate or find a violation.

      I hope this helps!

  131. We have a question regarding sending emails to our patients.
    We provide vision care for patients and many times patients would like us to email their glasses or contact
    lens RX sent to them.
    Right now we asking patients to email that request & then we would send that RX to that email we
    get. Do you think this is a necessary? Or do you think if they request over the phone & we verify the
    email we can go ahead and send it?
    Thank you

    1. Getting an email confirmation of the patient’s request is always a good practice. If someone does not have email capability, or if they really just want to make the request by phone, you can still email the prescription, but be sure to make a record of who you spoke and when. Make that record part of the chart, so if there is any question that you had permission to send the information via email, you have documentation of the request.

  132. If a provider emails a group of physicians not involved in patient X’s care a picture of an identifiable structure on patient X’s body without the consent of patient X is that considered a HIPAA violation? Thank you

    1. A definition of protected health information, or PHI would include: Protected health information (PHI), also referred to as personal health information, generally refers to demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.

      Note the reference to identifying an individual. Information, once it has been stripped of any identifying marks or other references that could be used to identify the person to whom it pertains, can be used without authorization from the patient. So a photograph of a body part, where there is no way to identify whose body it is from, would not be considered PHI, and this would not be a violation of HIPAA regulations.

      That said, there may be other laws governing utilizing pictures of a person. The FindLaw website contains the following analysis:
      “The basic presumption underlining right to privacy laws is the protection of an individual from the disclosure of private facts. The general principles are that one who publicizes a matter concerning the private life of another is subject to liability for invasion of privacy if the matter publicized is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public. The right of publicity provides that an individual has the right to control the commercial use of their name, likeness or identity. While the right of privacy protects an individual from the disclosure of embarrassing facts, the right of publicity protects the individual from financial loss from an unauthorized commercial use of their name or likeness. As a general rule the right of privacy will only apply to a living person while the right of publicity may also apply to a deceased person.”
      So it is always preferable to obtain permission to keep and share photographs of someone, even if the person in the photograph cannot be identified. In fact, some professional photographers pay subjects of group photos $1 just to establish that the people in the photographs are consenting to, and being compensated for, use of their images.

      I hope this helps!

  133. if i send one email to nurses at other office ” Test result for E2 is 1234″. In the email, no info related to the specific patient in the body and subject line. But the nurses know for whom the result is. is this sort of email HIPPA compliant?

    1. Sending PHI via an email without any identifying information on who the patient is would not result in an unauthorized disclosure. We advise against using such methods unless you can be sure no mistake will be made in identifying the patient at the other end. For instance, in your example, would E2 always refer to the same patient, or could E2 refer to one person on one day and to another person on another day? If emailing of PHI is a need, it would be better to invest in a secure email application than use shortcuts that could be open to misinterpretation.

      1. The term E2 is referring to one kind of test, not a patient.
        There will be NO misinterpretation at the other end for sure.
        my question is : is this email HIPPA compliant?

        I understand we can use encrypt email system. But it would take many extra steps to send and to receive an email. we are sending hundreds test results to our nurses.

        1. As the first sentence in my reply above states: “Sending PHI via an email without any identifying information on who the patient is would not result in an unauthorized disclosure.” HIPAA is less about specific “HIPAA compliant methods” and more about taking reasonable steps to protect the privacy of protected health information. That should be the goal of every covered entity – and the standard against which their actions are ultimately judged. If you think you are meeting that standard, then go ahead with the method you described.

  134. Quick question, I recently had a LCSW send (1) email from a yahoo email address that said it was from her husband, and then a few months later after it was brought to her attention I received (1) new email with my diagnosis, progress notes, name, address etc… enclosed came from her and a new email address that came from sbcglobal.net. To my knowledge neither of these addresses are HIPPA compliant, is that correct? Is that she did wrong? A lot of my personal info was included in those (2) letters that she emailed, and they were emailed because her printer at home was not working.

    1. We advise everyone that unencrypted email sent from such addresses cannot be considered secure. We also advise providers to not use email for communications that include protected health information (like what you describe in your question) without getting patient approval. Gmail claims that email sent from one gmail address to another is encrypted, but we have no way to confirm that. There are email applications that do provide for encryption of email messages that would be secure for purposes of HIPAA.

      The HIPAA regulations give patients the right to ask for communications via specific methods, so you can ask the provider to only communicate with you by regular mail, if that is your choice. You can also contact the Office for Civil Rights of the Health and Human Services department (https://www.usa.gov/federal-agencies/office-for-civil-rights-department-of-health-and-human-services) to register a complaint about how the LCSW may have communicated with you in a way that exposed your PHI to unauthorized disclosure.

  135. Question gray area: I went to get bloodwork done and when I filled out my personal info, I put in my address. My insurance is under my husband whom I’m estranged from. I asked before finishing the form, that my bill would be mailed to me and not to the insurance address. I was assured that it would be correctly mailed to me. I found today that instead, they mailed the bill, which includes why I was getting the bloodwork, to my estranged husband. He is the last person I ever wanted having my medical info. I did not give anyone there permission to give my medical info to anyone which by mailing him the bill did. Do I have any recourse?

    1. Ashley, it can be a challenge to healthcare entities like laboratories, hospitals or doctor’s offices to make sure that copies of bills do not go to the person providing the insurance coverage,even when the patient does not want that person to have information about why a service was provided and claim submitted. Most of these processes are automated these days, and it takes real attention to detail for an exception to be made and enforced. And of course, even if no bill is sent to the person providing the coverage, many times insurance companies send copies of EOBs to the insured person which may contain similar information about the service that was provided – t least the code and a description of the procedure or test.

      The HIPAA Privacy regulation do patients the right to require that no claim for services be sent to the insurance company from whom they have coverage, as long they are paying the bill themselves. Of course that leaves you with the financial responsibility to pay for the service, and you have to agree to that in advance. Otherwise, in general, only the Office for Civil Rights (OCR) of the Department of Health and Human Services can investigate a potential violation of the HIPAA regulations, and impose sanctions if warranted. You can find out how to lodge a complaint with them at their offices in Washington DC by Googling the name.

      Local District attorneys can prosecute people who participate in, or instigate, unauthorized disclosures of protected health information (PHI). But they usually only intervene in egregious cases where a person at a healthcare organization discloses PHI for personal gain or with malicious intent.

      While there is no right under HIPAA for patients to sue healthcare providers for an unauthorized disclosure, patients can sue for damages that were incurred after an unauthorized disclosure. An attorney could tell you if you have a chance to recover damages from the laboratory that did your bloodwork for the damages you suffered when your estranged husband was sent this information. And even if you had made it clear to the laboratory up front that you wanted the bills sent to you because you were going to pay for the services yourself, you still could only sue for damages you incurred because they sent a copy of the bill to someone they shouldn’t have, and complain to the OCR.

      I am sorry there are limited options in your situation. Paying for services yourself, or having your own insurance would be the most reliable way to maintain the privacy of your information in this situation.

  136. I have a situation in which I asked a healthcare provider (hospital) if it was ok if I sent them by email a picture of a possible wound infection that would be discussed at an upcoming visit with my doctor. I wanted to show the doctor a recent picture of the wound compared to an earlier version of the wound.
    The response I received was it was a violation of HIPPA for them to accept the pictures by email.

    1. Covered entities, like hospitals, are required to protect the privacy of the health information they create, maintain or store. Individuals, like yourself, are free to share their own information however and whenever they want to. So it is not a HIPAA violation for the hospital to accept information you send them. Of course, then they are bound to protect the privacy of that information, so handling the information in your email can become an issue. In this instance, of course, you can bring a copy of the picture you wanted to show the doctor to your next visit. You may want to contact the Privacy Officer of the hospital and discuss what you were told about not accepting the email with a photograph attached.

  137. question about HIPPA. I am an employee of a hospital in CT. I took a job with bariatric department as an MBSCR. My job was to follow patients, contact patients, and transfer data from the hospital platform to the accreditation platform. Since then,,I have taken another position in the hospital, but with the EHR system they have, I am still receiving patient information emails for any occurrences that happen in the hospital. Is this a case of HIPPA violation?


    1. Jason, this is a potential violation, but likely would be judged to be a low-risk unauthorized disclosure – unless you are somehow keeping the patient information emails or further disclosing them.

      The Minimum Necessary standard says staff members should only access the PHI they need for their duties. So if you are receiving and viewing PHI that is no longer pertinent to your duties, that is a type of unauthorized disclosure. However, the HIPAA regulations recognize an exception that covers the inadvertent disclosure of PHI “by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.” Since you would have had access to the information in your previous position, and since you are not doing anything with the information you are still receiving (right?), this situation falls under an exception that makes it a non-reportable breach.

      You could contact the hospital’s Privacy Officer and let them know about the situation so the emails can be redirected to the appropriate staff person. Good Luck!

  138. In our medical practice on occasion an email containing PHI may be accidentally sent to the incorrect person. Should this be treated as a HIPAA breach> For example, sender is creating the email and unintentionally selects the incorrect person from the Address Book or sends it to a recipient believing it was the correct person when it should have gone to a different person.

    1. Jill, yes, it should be considered an potential breach. Like all potential breaches, you should perform a risk assessment, documenting your assessment of four factors:
      1. Nature and extent of PHI involved; types of identifiers and likelihood of re-identification:
      2. Unauthorized person who used/viewed PHI, or to whom disclosure was made:
      3. Whether PHI was actually acquired or viewed:
      4. Extent to which risk to the PHI has been mitigated.
      If the risks of re-identification or re-transmission are mitigated, for instance by contacting the erroneous recipient and confirming the erroneous recipient has deleted the email and will not retain or re-transmit any copies of the PHI, you may conclude that the risk of financial or reputational harm to the patient is low. This would make it a non-reportable breach. If you can’t reach that conclusion, then you have an obligation to report the breach to the intended patient, and to HHS by February 28 of the year following the breach.
      I hope this helps!

  139. I want to know is it violating Hippa law to send out a mass email stating that You did not receive a job but the email was sent to me and maybe nine more people with our email addresses being exposed and we do not know one another or gave permission to be in the mass email to have a email address is expos

    1. HIPAA only applies to protected health information created, maintained or stored by a covered entity – a healthcare provider, a health insurance company or a clearinghouse (which processes electronic transactions for healthcare claims or payments). Your email address being disclosed in a mass email about a job does not sound like it relates to health information about you, so HIPAA would not apply.

  140. If a therapist forgot to get a copy of a patient’s insurance card, can the patient text or email a picture of it to the practice’s secure email (g-suite)?

    1. Marie, patients are free to put whatever information they want to into electronic communications like email. We always recommend practices help patients make an informed decision on using things like email or texting when including protected health information or important personal information like the information found on an insurance card.

      Usually with a secure email application, it is possible to send a request for information to a patient, and, provided they reply using the secure application, their PHI or other sensitive personal information will typically be encrypted during transit. Assuming “g-suite” means things like gmail, Google claims that emails sent using gmail are encrypted. But this only works if both parties are using gmail as their email application. For an email originating from a gmail account, but sent to someone with another email application (@yahoo.com, for instance), the reply may not receive the same encryption protections that gmail supposedly provides because it originates in a different email application and goes through different servers, etc.

      Here is a link to a pretty good explanation about gmail and encryption.

      So in this case, helping patients understand the risk they take in emailing PHI or sensitive information to the practice would include telling them that there is some, albeit small, risk of theft of information when using email to send a copy of an insurance card. The risk of using snail mail is much less.

      We hope this helps!

  141. Hi. Is mass emailing to patients regarding for them to call the clinic to make their payments before their appointment day HIPAA violation?

    1. Mass mailings to patients, especially where all addressees can see each other’s email address, have been the source of complaints to the Office for Civil Rights (OCR) (which investigates HIPAA privacy violations) of the Health and Human Serviced Department, in the past. Many people don’t want any information about where they are receiving care disclosed to anyone else without their permission. The classic example is the case of a minor who was receiving treatment at an OB/GYN practice. The practice sent her an email to an email address shared with other family members, in effect disclosing information about the minor’s activities in seeking health care services. In another instance, a physician who was leaving a group practice to start a new solo practice, sent an email to all patients of the group practice giving details on his new location. We advised him to consult with legal counsel because many of the group practice’s patients complained.

      We recommend communicating with patients via email only after asking for and receiving consent to use email for communications, and what type of email communications are acceptable to the patient. And if using a mass email approach, make sure you are using the Blind Copy feature so no one can see another person’s email address.

      Good luck!

  142. I work with a doctor that references details about more than one patient in the same email. These emails contain doctor’s orders and are added to the patient’s chart. Is this ok?

    1. Nadine, you don’t specify who these emails are sent to, but I will assume they are sent by the doctor to the staff in the office. This raises two issues.
      First, unencrypted email cannot be considered secure enough to send Protected Health Information via such email, and be reasonably certain the privacy of the PHI is protected – unless the email is sent entirely within an email server for an organization. We always recommend that physicians establish that a patient gives informed consent to the use of email for doctor-patient communications, and that principle applies in the case of PHI sent via email from the physician to staff members. While actual random interception resulting in an unauthorized disclosure seems to be rare, it is not impossible, which is why we recommend using an encrypted email application.

      Second, the practice of putting copies of emails containing information about multiple patients in patient charts could be problematic, unless the information for each patient is only put in that patient’s chart. You run the risk of not redacting such information about other patients when or if some or all of the chart is released to the patient or some other entity. That could result in disclosing information about a different patient who was also mentioned in the email. If this practice continues, you should make sure there is no “cross-contamination” of patient information from one chart to the next.

      Good luck!

  143. Is it considered a HIPAA violation for someone to mention in an email that I have a “compromised health issue”?
    Especially if I’ve never spoken to the person directly?
    No mention of the illness per say; just that my health is “compromised” in some way?

    Thank you!

    1. Linda, you don’t specify who mentioned the comment about a “compromised health issue”. If it is a Covered Entity, e.g., a physician, a hospital or a health plan (insurance company), where you have been a patient or from whom you have received insurance coverage, such a comment could be a HIPAA violation, especially if there is other context in the email that would enable a reader to discern what the issue is. The definition of Protected Health Information includes information about diagnosis and treatment. A general comment that someone is sick may not rise to the level of PHI.

      I hope this helps!

  144. Hi there! We are a Pediatric practice. I recently sent an email as requested by a mother since she was out of the country, on signing up for our patient portal so she can send the doctor messages while they are living out of the country. Normally we do not communicate with patients via our work email, but I made and exception (which we do from time to time) since I could not contact her any other way and she requested we email her the response to her questions. My email contained no PHI, I did not even have the mother’s name in the email. I told her to sign up for the portal and if she had questions, to call our office. I then added ” ***Please do not respond to this email. If you have questions, concerns, or need additional help, please call (phone number).***. Well, she responded to the email, with “urgent concerns” (he has a non-urgent rash- but mom described it as urgent) and even photos of a rash on the child (you cannot identify the child). My IT department is saying to ignore and delete the message, since she was instructed to NOT reply to the message. It is my work email which has my name on it and as an RN I am worried about what responsibility I have to this mom. Do I delete it and pretend like I never saw it? Her original question was not a clinical question, so I do not feel like I opened the door for clinical questions and she does not know I am a nurse. Thoughts?

    1. First of all, you should treat the communication like any other communication from a patient about conditions, medications, etc., and make sure it is recorded in the medical record. After that, you could delete the email. Second, we would recommend responding to the mother, using a new email, with information on how to access the portal, and reminding her this is the most secure method of communication. If you don’t see that the mother is accessing the portal, and if you still need to communicate about the rash issue the mother wrote about, send an email with your advice on dealing with the rash situation. Again, make it a new email, minimizing the identifying information, so the information the mother first wrote is not pinging back and forth around the internet. We always advise practices to get documentation of consent from patients to communicate via email, but in this case, by sending information to you, there is at least an implied consent to utilize email. Third, use common sense when listening to advice from the IT department. Even uncooperative patients/mothers still need responses to serious issues.

  145. My physion has an app for myself to email him if I state confidential is his nurse allowed to read it if I specifically stated this is for my physician and it it personal between him and I and you do not have my permission to read it
    If they do is it breaking HIPPA law

    1. It is common for the office staff in a physician’s office to review communications from patients to help the physician respond to them in an organized fashion. And all protected health information a covered entity like a physician can be used for the operation and management of the physician’s office. If you want communication between you and the physician to be confidential to just the two of you, you should discuss that request with the physician, and see if he or she can accommodate your request.

  146. As a therapist, I often communicate via email to court appointed attorney social workers with updates about my young clients and or their parent(s) and any recommendations (continued therapy, early intervention, parenting courses, etc).
    Would it be a HIPAA violation for a child’s court appointed attorney to fwd such an email containing patient information to a non biological father (mothers husband). Because part of the email suggested therapy, parenting classes for the father and possible Early intervention for the his youngest son. The bulk of the email involved information about the mother and her 2 other children’s case (different father, no legal ties).

    1. Michele, you are illustrating the pitfalls of using email to communicate Protected Health Information (PHI), specifically, you cannot control or be certain of where an email, or the information it contains, goes after you send it. The short answer to your question is that such a disclosure by the recipient of an email with PHI is not violating HIPAA regulations unless the recipient has signed a Business Associate agreement with you as the Covered Entity preparing and maintaining the PHI of your patient, or is itself a Covered Entity under HIPAA. Covered entities would not usually include attorneys, courts, etc.

      If email is the easiest way to communicate attorneys or social workers, you should do a few things.
      1) Get an informed consent from your patient’s parent/guardian to use email to communicate recommendations that may include PHI. Informed consent would include explaining the potential risks, e.g., interception by third parties (rare but not impossible) or forwarding to third parties by the recipient(s) of the email.
      2) Utilize a secure email system, which encrypts the email in transit and usually requires the recipient(s) to log into a website to receive the email. Use of this technique does not prevent a recipient from copying and pasting the information and forwarding it to a third party, however.
      3) Include a statement in your emails advising the recipient(s) not to forward the email or the information to a third party without the consent of the patient/parent. Such a statement is only as good as the honorable intentions of the recipient, but at least it expresses your intention that the information is not casually disclosable.

      You have probably been exposed to situations involving conflicts between custodial and noncustodial parents on treatment, etc. of minor children. Claims of HIPAA violations in these situations happen from time to time. If you take reasonable precautions to protect the privacy of the PHI you are creating, maintaining and communicating, you are much less likely to be fined if (or when) a party decides to complain about your release of information during disputes, to court appointed personnel, or to other parties who have a reason to receive the information.
      Good Luck!

  147. Is it a HIPPA violation the have my kid’s medical record sent to me via email or the address they send the bills to? I’m asking because I called my pediatrician to get a copy of a physical sent to me, but they are refusing saying it’s a HIPPA violation.

    1. Assuming you are a parent with access to your child’s medical record, there is no reason the pediatrician’s office should be refusing to send you a paper copy of a portion of the medical record via the mail at the address you specify. You are entitled to ask for your child’s protected health information to be sent to you in a form and at a location you specify. It does not have to be the same location that they use to send statements or bills. You should put the request in writing, and ask for the name of the Privacy Officer for the practice.

      Here is a link to the official website for HIPAA issues that explains the rights of parents and minors. This link covers requests for confidential communications.

      Good Luck!

  148. When I email my doctor about my medical issues, why do the staff screen my email before the doctor gets it? Is this a violation of the HIPPA rules? The email is intended for my doctor only!

    1. Issac, it would almost certainly not be considered a HIPAA violation for a physician to have his or her staff screen email messages before the physician reviews them. First of all, an email you send to your physician is not Protected Health Information (PHI) under HIPAA, at least initially. It does not become PHI until it becomes part of the medical records, related to your care and treatment, the physician is keeping. HIPAA allows Covered Entities (like medical practices) to use PHI for treatment, payment and operations purposes without further authorization from a patient. So even if your email was automatically routed into your medical record before the physician saw it, a physician could still use his or her staff to review the information on his or her behalf, and take action based on standing instructions on how to proceed. For instance, a physician may tell his staff to make a copy of test results available to the patient if the physician has already completed reviewing them prior to receiving the email.

      You may want to talk to your physician and ask how you can communicate with him or her without staff members screening the request in advance. But keep in mind that much of the time, information may ultimately be shared with staff members because the physician needs the support of the staff to keep information and activities of the office flowing timely and accurately.
      I hope this helps!

      1. Thank you very much for your timely reply! This helps a great deal! I just wanted to make sure that nothing was being compromised!

  149. Hi,
    I wanted to clarify about if an 3rd vendor have patient numbers shared from Hospital data to provide patient with education service about their condition , Do HIPAA & Compliance have conflict with below Action :
    1. sending an push Email to all the patient whom did not answer the calls ?
    2. push Email with no any patient identification ,name or number other than That some from education service for condition A try calling ?

    1. Lina, we always advise providers to get approval from patients to use email for communications. Unsecured email cannot be considered secure enough to send protected health information (PHI) via email. Something like a request to contact a vendor about education may be very innocuous, but if the email includes information about the patient’s condition, diagnosis, procedures, etc., it can overlap into PHI. An email asking a patient to call about an opportunity for health education, with no PHI included, is probably vague enough that a regulatory agency, like the Office for Civil Rights of the Health and Human Services Department, which investigates HIPAA violations, would not consider that an unauthorized disclosure.
      Good Luck!

  150. Question. I was involved in an auto accident and I have granted my attorney permission to my medical records. This does not include private emails I sent my doctor, correct?

    1. Ross, it is very common for physicians to incorporate communications from patients, and their responses, into their medical records, especially if the communication was in digital form, such as an email. In that case, it would be up to the patient to ask that email communication not be incorporated into your medical record, but the physician’s response would still be in the record. You can further ask that the communication back to you not be part of the record to be released to anyone.
      I hope this helps! Good luck!

  151. I work for a medical supply company and I do audts that Medicare pulls for billing so we get paid by Medicare. If I accidentally attach a different patients file to a cover sheet with a different patients name, but it’s being sent to Medicare hired companies to review is it a HIPAA violation?

    1. Michele, the answer is, it may be a violation and it may be reportable. If the underlying information is the information you wanted to send, and the incorrect information is the name on the fax cover sheet, then there is arguably no unauthorized disclosure. A name all be itself on a fax cover sheet is not disclosure of PHI.

      If a fax cover sheet with the name of the person (patient #1) whose information you were trying to send, is put on top of information about a patient (patient #2) that you were not supposed to send, then there may be an unauthorized disclosure of patient #2’s PHI, which is a reportable event. If you would have sent the information about patient #2 anyway to the hired company, then it is not an unauthorized disclosure of PHI.

      I hope this makes sense, and helps!

  152. If a marketer for a home health care provider, is given and is actively using a business email that the company has established for the marketer, and the marketer actively uses the business email, but forwards the business emails with patient information to her personal email, is this a HIPPA violation?

    1. Sue, it may not be a HIPAA violation per se, but the organization could be seen as not protecting the privacy of protected health information by allowing this type of practice. We strongly encourage covered entities (like a home health care provider) to encrypt any emails that contain PHI. Further, most covered entities specifically prohibit employees from sending emails with any company information, including PHI, to their personal email accounts as part of their acceptable use policy. These types of policies should apply to any employee or independent contractor who has access to the organization’s PHI. This type of independent contractor should also have a business associate agreement with the covered entity.

      I hope this helps!

  153. I requested the e-mail addresses of my local hospital’s board of directors to open a dialog regarding the care of my wife. I have a durable power of attorney and healthcare directive allowing me to handle the medical affairs of my wife. The hospitals board members are publically known, their photos and names are posted on the walls of the hospitals. The hospital claims releasing the email addresses is a HIPPA violation. Also, is it a HIPPA violation to communicate the life expectancy of a cancer patient in a cancer infusion room within earshot of other pstients?

    1. Mr. Kennard, it is possible that an email address, included in the medical record of a patient, could be considered Protected Health Information, or PHI. But an email address of a Board member, that is not part of the Board member’s medical record information, is not PHI that is protected by HIPAA. You may not be able to force the Hospital to give up the email addresses of Board members, but you can also send a letter to them individually at the hospital. Hopefully that type of communication would get through to one or more of the members.

      HIPAA regulations recognize that complete privacy of PHI is not always possible in congregate treatment settings like infusion rooms or physical therapy gymnasiums or even inpatient rooms where two or more patients are being cared for. The rationale is that when you agree to be treated in such areas, you understand that your medical information will not be completely private, or, you can ask to have such information shared as privately as possible. On the other hand, discussions about patients’ conditions, etc., in common treatment areas should be limited, and kept as private as possible. So while it may not be a HIPAA violation, it is poor form to communicate sensitive information about patient where others can hear it.

  154. My HR department at work has been emailing my medical provider for information regarding my doctor’s note I turned in. They made the accusations it was fake, which it isn’t. But I was told they’re emailing the facility back and forth for information regarding the note, is that legal? Can my medical facility be releasing information about me without my consent? And can I request a copy of these emails if they are?

    1. Mrs. T: HIPAA does have some specific rules on a patient’s protected health information (PHI) and an employer. Here is an excerpt from the Health and Human Services website (https://www.hhs.gov/hipaa/for-individuals/employers-health-information-workplace/index.html):

      Employers and Health Information in the Workplace
      The Privacy Rule controls how a health plan or a covered health care provider shares your protected health information with an employer.
      Employment Records

      The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.

      If you work for a health plan or a covered health care provider:

      The Privacy Rule does not apply to your employment records.
      The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

      Requests from your employer

      Your employer can ask you for a doctor’s note or other health information if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance.

      However, if your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.

      Generally, the Privacy Rule applies to the disclosures made by your health care provider, not the questions your employer may ask.

      See 45 C.F.R. §§ 160.103 and 164.512(b)(1)(v), and OCR’s Frequently Asked Questions.

      It is not a violation of HIPAA to use email to discuss medical information, but we very strongly advise providers (like your doctor’s office) to get consent from patients before using email to send PHI since unencrypted email cannot be considered secure. Emails sent by your medical facility may or may not contain PHI, and they may or may not be included in your medical record. You can contact the facility and ask to speak to the Privacy Officer. Tell that person about your concerns and see if they can tell you about the content of the emails. You can also ask them to stop responding to your employer by email, but they will still have to answer legitimate questions from your employer, per the discussion above, even if they have to use regular mail. Good luck, and we hoped this helped.

    1. Benay, it is not a violation of HIPAA per se to send orders via email. Unless a physician is using a secure email application, we strongly encourage physicians to let their patients know they are sending communications containing protected health information to other providers (or to the patients themselves) via regular (non-secure) email applications. A further concern with using email is authentication of the orders. Email accounts can be hacked, leaving a provider like a lab to guess if a test ordered by email is actually a bona-fide order, and email messages can be lost, deleted or even recalled, leaving the recipient with no record of having received the order. Text messages are similarly discouraged because of the lack of security and fragility of the record-keeping. You can contact your physician, ask for the Privacy Officer, and report your concerns, if you have them.

  155. I’m trying to receive emails from my provider and it says none of my apps will open it I even allowed through settings anyone with the link to view and still it won’t open what am I doing wrong?

    1. Sorry, Rachelle, we can’t diagnose the issue of email messages and the various applications that may be used to receive and open them. You might try asking if your provider has a patient portal that you can access to receive messages that don’t have to go through the email system.
      Good luck!