Is it Allowed to Email Patient Names Under HIPAA?

Given the often stringent rules of the Health Insurance Portability and Accountability Act, often referred to as HIPAA, healthcare staff and others in the health sector are understandably cautious of how they handle patient information, some to the point where they are wondering whether it is allowed to email patient names under HIPAA rules. The name of patients would be considered to be Protected Health Information (PHI), so transferring or sharing them in an incorrect manner could have consequences for the employee or the HIPAA covered entity.

There are a certain number of elements to be taken into account when considering the role of email in relation to HIPAA. Below, we will examine the question of names in emails and review the manner in which employees in healthcare settings should use email systems in order to remain compliant with the law and avoid any breaches.

Is Sending Patient Names Via Email a HIPAA Violation?

The names of patients, both first names and family names, are among the 18 classes of information that are categorized as PHI under the HIPAA Privacy Rule. Electronic communication of PHI is not prohibited, but certain conditions must be met. Security measures must be appropriate to the risk that the information could be intercepted or otherwise accessed by unauthorized parties.

When emailing PHI, the more sensitive data should not be present in the subject line, however, as this bears a higher risk of being viewed by unauthorized individuals. With some encryption systems, the title of the email may also not be encrypted, even if the contents of the email itself are. Again, this increases the risk of a PHI breach.

Do Emails Need to be Encrypted?

While there is no rule under HIPAA that states encryption should or must be used, it may be a useful tool in ensuring HIPAA compliance. The use of encryption is what is know as an Addressable standard. This means that it is one of a number of options that can be used if a risk assessment deems that protection of this type is may be necessary. Other systems or protocols which provide a similar level of security could also be implemented to meet the appropriate standard.

When emails are being sent among staff members inside of the company or organization, encryption may not be needed as the systems firewall should be adequate to protect the data, provided that the messages do not leave the network to be transferred. In addition to the firewall, features such as requiring a username and password to access the network would need to be in use.

When emails are being sent beyond the confines of a protected network, the risk of the PHI being intercepted is greater. If patients have consented to receiving documents via email, this is a valid and compliant form of communication. Before consenting, however, the patient must be informed of risk of data being compromised should an unencrypted email be accessed by a third party. If the patient agrees, unencrypted email can be used.

In all other cases where email is being used to transfer PHI, encryption is likely the only way to adequately mitigate the risk of information being compromised. Should an audit take place, it is important to remember that security decisions must be documented and justified with evidence. Given the threat of a breach, transferring PHI via unencrypted email would likely not meet the necessary level of security.