How to Use E-mail and Be HIPAA Compliant

by Dr. Jeff Brown

Without a doubt, striking a balance between the convenience of e-mail and the HIPAA was my biggest compliance related challenge in practice. I am certain I failed on as many occasions as I got it right.

I will attempt to distill a huge amount of HIPAA rules back story into easy-to-understand sound bites, and conclude with a simple formula. Here we go.

Protected health information (PHI)

Protected health information (PHI) is ANY information that could be used to individually identify a patient. This includes name, e-mail address (yes, e-mail addresses personally identify someone), account numbers, photographic images, etc.. Because e-mail addresses are PHI, it is impossible to send an e-mail to a patient that does not include PHI.

Business associate agreement (BAA)

All e-mail services store/archive message history. From a HIPAA perspective, this is big deal because it means the e-mail provider (e.g., Google, Yahoo, Office 365) is performing a service on your behalf—storing your PHI.

The HIPAA law requires that you have a business associate agreement (BAA) with any entity who performs a service on your behalf involving access to PHI. We just determined all e-mail providers store your PHI; therefore, you must have a BAA with your e-mail service provider to be compliant.

Okay, so that was the highly condensed back story. Now it's time for something you can actually use to help determine if your current e-mail usage is compliant, or not.

The "formula"

To determine if your current e-mail practices are HIPAA compliant, follow the below decision tree.

Does your e-mail contain PHI?

If yes, move to next question. Note: The answer is always yes.

Does the e-mail service store messages?

If yes, move to next question. Note: The answer is always yes.

Do you have a BAA with the e-mail service provider?

If yes, you are compliant and may use your e-mail to communicate with patients. Congratulations!

If no, you are not compliant. Here are your options:

  1. Obtain a BAA from your current e-mail provider (I've never known a free e-mail service, such as Yahoo or Gmail, or website hosting services to sign/offer a BAA).
  2. Switch to a secure e-mail service provider, one who’ll sign a BAA.
  3. Stop using e-mail to communicate with patients.

I know this is not the conclusion you were hoping for. Sorry.

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.

See More HIPAA Topics