How to Use Email and Be HIPAA Compliant

By: Dr. Jeff Brown |

Without a doubt, striking a balance between the convenience of using email and the HIPAA was my biggest compliance related challenge in practice (I am certain I failed on many occasions). In this article I will attempt to distill a huge amount of compliance back story into easy-to-understand sound bites, and conclude with a simple formula for how to use email and still be HIPAA compliant. Here we go.

Protected health information (PHI)

Protected health information (PHI) is ANY information that could be used to individually identify a patient. This includes name, email address (yes, email addresses personally identify someone), account numbers, photographic images, etc.. Because email addresses are PHI, it is impossible to send an email to a patient that does not include PHI.

Business associate agreement (BAA)

All email services store/archive message history. From a HIPAA perspective, this is big deal because it means the email provider (e.g., Google, Yahoo, Office 365) is performing a service on your behalf—storing your PHI.

To be HIPAA compliant you are required to have a BAA with any entity who performs a service on your behalf involving access to PHI. We just determined all email providers store your PHI; therefore, you must have a BAA with your email service provider to be compliant.

Okay, so that was the highly condensed back story. Now it's time for something you can actually use to help determine if your current email usage is compliant, or not.

The "formula"

To determine if your current email practices are HIPAA compliant, follow the below decision tree.

Does your email contain PHI?

If yes, move to next question. Note: The answer is always yes.

Does the email service store messages?

If yes, move to next question. Note: The answer is always yes.

Do you have a BAA with the email service provider?

If yes, you are compliant and may use your email to communicate with patients. Congratulations!

If no, you are not compliant. Here are three available options:

  1. Obtain a BAA from your current email provider (I've never known a free email service, such as Yahoo or Gmail, or website hosting services to sign/offer a BAA).
  2. Switch to a secure email service provider, one who’ll sign a BAA.
  3. Stop using email to communicate with patients.

I know this is not the conclusion you were hoping for. Sorry.

Please note

In order to email or text any PHI (e.g., appointment reminders) to a patient's unsecured email account, you must first get the patient’s authorization to send and receive medical information by email/text.

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.

See More HIPAA Articles