Seven Ways Your Email Is Violating HIPAA

Email is everywhere, but regulations imposed by HIPAA make it a challenge to use the technology for healthcare without exposing your practice to tens of thousands or even millions of dollars in possible penalties. Infractions can be subtle, too, so you might be at risk even when you think you’re covered.

We’ve talked about the academic nuts and bolts of using email under HIPAA before, but now it’s time for some tough love and brass tacks. Read on as we go through seven of the most high-impact and potentially surprising ways that your current use of email might be violating HIPAA.

1) You Don’t Have Patient Consent

The U.S. Department of Health and Human Services (HHS) has given explicit guidance, on several occasions, that patients and providers can use unencrypted email for protected health information (PHI), so long as the patient is aware of the security risks and still prefers email over other communication options.

The flip side of this guidance is that a failure to meet any of its stated criteria implies an immediate HIPAA violation. So ask yourself, for every patient you’re emailing:

  1. Is this patient aware of the security risks of email?
  2. Have we discussed other communication options with better security?
  3. Have they stated a preference (or at least given consent) for email despite the risks and availability of other options?
  4. Have I documented that preference/consent somewhere?

Patient preference is a powerful tool for HIPAA compliance, but that also means that its absence is a powerful liability. Don’t skip this easy compliance step.

2) You Don’t Have a BAA

Business Associate Agreements (BAAs) are important legal documents that are required by HIPAA and that help ensure that your business partners treat your patients’ PHI with the same care and dedication that HIPAA requires of you. In the case of email, you want to know that your email provider has systems in place, such as modern encryption, to safeguard your important data, and a BAA will put those assurances in writing.

Even if you have patient consent to use insecure email, skipping out on getting a BAA with your email provider may put you in violation of HIPAA. Your patient may have agreed to the technical limitations of email, but they haven’t given you a free pass to ignore other HIPAA requirements, such as the administrative and legal safeguards that a proper BAA would provide.

It’s simple to do, and you should have a signed BAA with your email provider.

3) You Have a BAA but It Doesn’t Cover What You Think It Does

Surprise! This may be the “gotcha” item for many of you, so read carefully. At Spruce, we hear from many providers who “have secure email with a BAA,” but it often turns out that what they actually have is regular email with a BAA.

It is common for email providers to offer a BAA that covers their storage and internal handling of your PHI but that leaves all responsibility for message transmission on you, the user. This isn’t malicious; it’s just a reflection of the email provider’s inability to control the Internet beyond its own walls. Despite recent advances, standard email transmission is fundamentally unencrypted and insecure, so no company will sign a BAA that promises otherwise. Unfortunately, you’re still responsible for message transmission under HIPAA, so you can’t ignore this omission.

The most notable example of this disconnect may be the BAA that Google signs for email under its G Suite product offering. It’s a legitimate BAA that you should absolutely sign if you use the service, but it doesn’t provide coverage for emailing people outside of your own practice, such as, say, your patients.

Don’t get caught misinterpreting what your BAA will protect you from and what it won’t; it is extremely easy to violate HIPAA and endanger your patients’ PHI by using an email service that has a completely valid BAA in place.

4) You Haven’t Thought About Your “Technical Safeguards”

The HIPAA regulations devote a good amount of attention to specific “technical safeguards” that should be in place for systems that interact with electronic PHI. While not all of these security measures are absolute requirements under the law, standard email clearly fails to meet even a lenient interpretation of the criteria.

Happily, email technology has been progressing over the past few decades, and there are now measures that you can take to make your use of email more secure. Even if you have your patients’ consent to use “insecure” email, there is still a good argument that you should do your best to minimize every security risk that you can, and not doing so could easily constitute a HIPAA violation.

Check out our recent deep dive on HIPAA and email to learn more about the technical safeguards that you now have available and should investigate.

5) You’ve Only Thought About Your “Technical Safeguards”

You might be ahead of the game on email security. Maybe you know all about TLS, SPF, DKIM, DMARC, and other alphabet-soup Internet security acronyms. Maybe you even use a fully end-to-end encrypted email system. You could still, however, be violating HIPAA with your email.

Technical safeguards are not the only type of safeguards required by HIPAA, so having a perfect set of them won’t automatically make you compliant; the regulations also focus on “administrative” and “physical” safeguards, and both of these are critical to any HIPAA effort.

Administrative safeguards are, broadly, documented workflow policies that you follow to ensure the safety of PHI. One well-known administrative safeguard is the principle of communicating only the “minimum necessary” amount of information for a given interaction, ensuring that PHI exposure is kept low even if there is a technical breach. Other administrative safeguards include having a privacy officer, performing internal risk analyses, and keeping up with regular policy checkups. HIPAA requires all of these and more, but they don’t have to be onerous; learn more in our HIPAA compliance checklist.

Physical safeguards are, unsurprisingly, controls that you put in place around the physical security of your patients’ PHI. For email, this generally means considering the physical location of any downloaded emails that you have. Are they stored on a laptop? Who has access to the room it’s in?

Technical safeguards may be the most obviously important HIPAA requirements for email, but a complete approach to compliance will also consider administrative and physical safeguards, as well as the rest of the HIPAA regulation as a coherent whole. Cherrypicking criteria to follow will not lead to compliance.

6) You’re Sending PHI but Not Realizing It

Some healthcare providers attempt to comply with HIPAA by limiting their email use to information that does not constitute PHI. This is, in theory, a workable strategy, but it can be devilishly hard to use in practice.

Per HHS, HIPAA protects most “individually identifiable health information,” including demographic data, payment information, and contact details, depending on context. Since the use of personal addresses makes email inherently “individually identifiable,” you must then be extremely careful to ensure that your message content does not rise to the level of “health information.”

If you run a general practice clinic, for example, HIPAA might allow you to send your entire patient panel a generic email about flu vaccines without it being PHI, as it would not be “health information” about any specific person. If your practice specializes in cosmetic plastic surgery, on the other hand, you might not even be able to send a monthly newsletter, as there could be an argument that simply identifying people as patients of your practice would constitute health information.

When it comes to PHI, the line is blurry, the bar is low, and the consequences are steep. In further HHS guidance, the department states that even “an indication that the individual was treated at a certain clinic” can be PHI. You might be comfortable using email for non-PHI purposes, but it can be exceptionally hard to determine exactly what those are.

7) You’re Emailing Someone Other Than the Patient

You might have a patient’s consent to email with them about PHI, but that allowance does not extend to your interactions with anybody else, including other healthcare providers. Communication with anybody other than the patient or their explicitly designated third-parties should be fully compliant with all aspects of HIPAA, and anything else is likely to be a HIPAA violation.

Since standard email is, nearly by definition, not compatible with many HIPAA regulations, you should avoid it by default whenever you need to communicate PHI to anybody who is not the exclusive subject of that PHI and who hasn’t consented specifically to its use.


Alternatives to Email

Email can certainly be used in a HIPAA-compliant manner, but it may not be worth the trouble. Instead, many modern communications solutions are now available specifically for healthcare, and they make HIPAA compliance simple while also enabling secure messaging, telemedicine, access logging, team collaboration, and many other advanced features that email will never natively support.

Of course, Spruce is one of these solutions. 😉

Our software platform supports email, too, but we think that the healthcare communication world is so much bigger and richer than simple email. Check Spruce out, and let’s figure out what your medical communication goals are and how we can help you reach them. Yes, including email, if you really want it.


This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.

Related Articles

Discover more about the Mental Health Access Improvement Act, which allows LPCs and MFTs to enroll a...