3 min read

Avoiding HIPAA violations when fowarding emails

Avoiding HIPAA violations when fowarding emails

Healthcare organizations can avoid HIPAA violations when forwarding emails by using HIPAA compliant email systems, encrypting emails and attachments, verifying recipients, applying the minimum necessary rule to limit shared information, and obtaining patient consent when required. Additionally, maintaining audit trails and training staff on secure email practices help prevent accidental disclosures of protected health information (PHI) and ensure compliance with HIPAA regulations. 

 

HIPAA and email forwarding

The HIPAA Privacy and Security Rules apply to email communication, so any information shared electronically must be properly secured to protect patient privacy. The HHS clarifies that "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so."

Email forwarding, in particular, presents additional risks, as it can easily result in the unintended disclosure of sensitive data. Without proper safeguards, forwarding emails could lead to unauthorized access to PHI, risking a data breach and resulting in penalties for non-compliance.

 

Common risks when forwarding emails with PHI

  • Accidental recipients: Healthcare staff can mistakenly forward an email to the wrong person, especially when multiple recipients are involved. An email containing PHI sent to an unauthorized person can be a serious HIPAA violation.
  • Excessive information sharing: Forwarding entire email threads instead of only the necessary information increases the risk of exposing irrelevant but sensitive patient data.
  • Lack of encryption: PHI should always be encrypted when sent via email, including when forwarding. Failing to use encryption can lead to unauthorized access.
  • Missing patient consent: Emails forwarded to third parties or outside providers may require patient authorization. Failing to obtain this consent could violate HIPAA’s Privacy Rule.

 

Recommended practices to avoid HIPAA violations

Use HIPAA compliant email systems

Use a secure, HIPAA compliant email platform that ensures messages containing PHI are encrypted in transit and at rest. These platforms are designed to meet HIPAA’s security requirements and typically include automatic encryption and secure message storage.

 

Verify the recipient

Double-check that the recipient can receive the information before forwarding an email. A simple typo or incorrect recipient selection can lead to unauthorized disclosure. Implementing procedures for verifying recipients can help prevent such errors.

 

Apply the minimum necessary rule

HIPAA’s minimum necessary rule requires that only the information essential for the task is shared. When forwarding emails, include only the PHI directly relevant to the recipient. Avoid forwarding long email threads that may contain unrelated or excessive information.

 

Encrypt emails and attachments

Ensure emails and attachments are encrypted before forwarding them, especially if they contain sensitive health data. Encryption protects information from unauthorized access during transmission.

Related: What happens to your data when it is encrypted?

 

Obtain patient consent when needed

HIPAA requires patient consent before disclosing PHI in certain situations. When forwarding emails to third parties or external providers, verify whether patient consent is needed. If so, ensure the patient has signed the HIPAA compliant authorization forms before sharing their information.

 

Use redaction or anonymization

When possible, redact or anonymize patient information before forwarding an email. You reduce the potential risk if the email is mistakenly sent to the wrong person or intercepted by removing identifiers such as names or medical record numbers.

 

Implement strong access controls

In addition to encryption, ensure that your email systems are protected by access controls, such as two-factor authentication. Access controls help guarantee that only authorized users can access email systems and prevents unauthorized access if an email is mistakenly forwarded to the wrong address.

Read more: A guide to HIPAA and access controls

 

Maintaining an audit trail

One of HIPAA’s requirements is maintaining an audit trail of all PHI disclosures, including email forwards. Implement procedures for tracking email communications, noting who forwarded the email and to whom. Keeping detailed records helps with compliance and provides accountability in the event of a breach.

 

Employee training and awareness

Employees should be trained on secure email practices, the risks of forwarding emails containing PHI, and how to avoid common mistakes like sending to the wrong recipient or sharing excessive information. One of the primary reasons for email breaches is human error, with at least 85% of data breaches in organizations attributable to individual mistakes. Regular training sessions help keep compliance in mind and reduce the likelihood of human error.

Read more: Mitigating human error in email handling to prevent HIPAA breaches

 

FAQs

Can I forward an email containing PHI to a non-HIPAA-covered entity?

You can only forward PHI to a non-covered entity if the patient has provided explicit authorization, or the disclosure falls under a HIPAA exception, such as for public health purposes. 

 

What should I do if I accidentally forward an email with PHI to the wrong recipient?

Immediately report the incident to your compliance officer, attempt to recall the email if possible, and follow your organization’s breach notification procedures to assess and mitigate the violation.

 

Is forwarding emails with PHI allowed during telehealth sessions?

Yes, forwarding PHI during telehealth is allowed if using HIPAA compliant platforms and secure email systems. All precautions, including encryption and patient consent, must still be followed.