Yes, covered entities and business associates may send Protected Health Information (PHI) or Personally Identifiable Information (PII) via email, if it is secure and encrypted using industry standard encryption algorithms. According to the Department of Health and Human Services (HHS), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule does not expressly prohibit the use of email for sending electronic PHI (ePHI) or PII. However, covered entities and business associates are required to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI or PII. Essentially, covered entities and business associates can send ePHI or PII via email, but they must do it securely and comply with HHS terms.
Email remains an important tool in healthcare communication, but it also presents significant risks when used to transmit sensitive information like PHI or PII. Inadequate email security—especially the lack of proper encryption—continues to be a leading cause of data breaches. Here are a few essential email requirements and best practices for safeguarding sensitive data, ensuring compliance with HIPAA regulations, and reducing the risk of unauthorized access. From encryption standards to the proper use of disclaimers and recipient verification, adhering to these practices is important for maintaining the privacy and security of health information.
Email Requirements and Best Practices
Encryption
According to a 2022 HHS Breach Portal report, around 22% of reported healthcare breaches that included 500 or more affected individuals were from unencrypted emails. Using encrypted email services ensures that PHI or PII remains protected when an email is sent. Encrypted information can only be accessed by an authorized recipient(s) using a decryption key. Encrypting email adds an extra layer of security, making it difficult for hackers or unauthorized individuals to view sensitive information.
Encryption does not mean that the information is password-protected. It just makes the information unreadable until the data has been decrypted. Emails containing PHI or PII should not be sent unless the email is secured using third-party encryption program or a program that supports AES256 or similar algorithms. To protect sensitive information during email communication, proper encryption practices must be followed. If PHI or PII is included in the body of an email, the entire message must be encrypted. If the information is contained in an attachment, encrypting the attachment is sufficient. PHI or PII must never be included in email subject lines, as subject lines cannot be encrypted.
Ask your IT department and/or Security Officer if you are unsure if your emails are encrypted and for information on ensuring emails containing PHI or PII are sent using secure email and according to company policies and procedures.
Email Disclaimers
While having a disclaimer in your email is important, it does not mean you can send unencrypted emails that include PHI or PII. The purpose of adding a disclaimer to your emails is merely to inform the recipient that the information contains PHI or PII. Remember, disclaimers do not eliminate your responsibility to send PHI or PII securely. If you need help writing the disclaimer, we recommend speaking to your legal counsel.
Limit Use of PHI or PII in Emails
Wherever possible, avoid including PHI or PII in emails. Use de-identified information (removing or obscuring all personal identifiers) when communicating about patients or clients while using secure email. For instance, refer to patients by a unique ID number instead of their name. Secure emails containing PHI or PII must be limited to the minimum amount of PHI or PII necessary for the intended purpose.
Verify Recipient Information
Before sending a secure email containing PHI or PII, double-check that the recipient’s email address is correct and that other unnecessary individuals aren’t included to avoid sending sensitive information to the wrong person and to comply with the minimum necessary standard.​ Secure emails containing PHI or PII must be restricted to individuals with a legitimate business need or clinical need-to-know.
Report!
Immediately report to your Compliance Department, IT Department, and/or Privacy and Security Officers, following company policies and procedures, if you receive or send an unsecure email containing PHI or PII, receive or send an email containing more than the minimum amount of PHI or PII necessary, send an email containing PHI or PII to an individual(s) without a legitimate need to know, or receive an email containing PHI or PII that you do not have a need to know.​
For more information on protecting ePHI see HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information | HHS.gov