I usually don't write in first person, but this article is special; it addresses the struggle to understand HIPAA compliance related to the use of email.

Without a doubt, striking a balance between the convenience of email and the HIPAA was my biggest compliance related challenge in practice. I am certain I failed on as many occasions as I got it right.

I will attempt to distill a huge amount of HIPAA requirements back story into easy-to-understand sound bites, and conclude with a simple formula. Here we go.

Protected health information (PHI)

Protected health information (PHI) is ANY information that could be used to individually identify a patient. This includes name, email address (yes, email addresses personally identify someone), account numbers, photographic images, etc.. Because email addresses are PHI, it is impossible to send an email to a patient that does not include PHI.

Business associate agreement (BAA)

All email services store/archive message history. From a HIPAA perspective, this is big deal because it means the email provider (e.g., google, Yahoo, Office 365) is performing a service on your behalf—storing your PHI.

The HIPAA law requires that you have a business associate agreement (BAA) with any entity who performs a service on your behalf involving access to PHI. We just determined all email providers store your PHI; therefore, you must have a BAA with your email service provider to be compliant.

Okay, so that was the highly condensed back story. Now it's time for something you can actually use to help determine if your current email usage is compliant, or not.

The "Formula"

To determine if your current email practices are HIPAA compliant, follow the below decision tree.

Does your email contain PHI?

If yes, move to next question.

Note: The answer is always yes.

Does the email service store messages?

If yes, move to next question.

Note: The answer is always yes.

Do you have a BAA with the email service provider?

If yes, you are compliant and may use your email to communicate with patients. Congratulations!

If no, you are NOT compliant. Here are your options:

  1. Obtain a BAA from your current email provider (I've never known a free email service such as Yahoo or Gmail, or website hosting services to sign/offer a BAA.)
  2. Switch to a secure email service provider, with a BAA
  3. Stop using email to communicate with patients

I know this is not the conclusion you were hoping for. Sorry.

While in practice I wanted to keep things simple by using my practice's website email account to communicate with patients. Unfortunately, I had no BAA and was forced to reevaluate my day-to-day operations. Speaking of operations, be sure to read the articles below in which email is also discussed.

Between this article and the those listed above, it is my hope you have sufficient information to understand HIPAA compliance related to the use of email. Thank you for reading!