Healthcare organizations can avoid HIPAA violations when forwarding emails by using HIPAA compliant email systems, encrypting emails and attachments, verifying recipients, applying the minimum necessary rule to limit shared information, and obtaining patient consent when required. Additionally, maintaining audit trails and training staff on secure email practices help prevent accidental disclosures of protected health information (PHI) and ensure compliance with HIPAA regulations.
The HIPAA Privacy and Security Rules apply to email communication, so any information shared electronically must be properly secured to protect patient privacy. The HHS clarifies that "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so."
Email forwarding, in particular, presents additional risks, as it can easily result in the unintended disclosure of sensitive data. Without proper safeguards, forwarding emails could lead to unauthorized access to PHI, risking a data breach and resulting in penalties for non-compliance.
Use a secure, HIPAA compliant email platform that ensures messages containing PHI are encrypted in transit and at rest. These platforms are designed to meet HIPAA’s security requirements and typically include automatic encryption and secure message storage.
Double-check that the recipient can receive the information before forwarding an email. A simple typo or incorrect recipient selection can lead to unauthorized disclosure. Implementing procedures for verifying recipients can help prevent such errors.
HIPAA’s minimum necessary rule requires that only the information essential for the task is shared. When forwarding emails, include only the PHI directly relevant to the recipient. Avoid forwarding long email threads that may contain unrelated or excessive information.
Ensure emails and attachments are encrypted before forwarding them, especially if they contain sensitive health data. Encryption protects information from unauthorized access during transmission.
Related: What happens to your data when it is encrypted?
HIPAA requires patient consent before disclosing PHI in certain situations. When forwarding emails to third parties or external providers, verify whether patient consent is needed. If so, ensure the patient has signed the HIPAA compliant authorization forms before sharing their information.
When possible, redact or anonymize patient information before forwarding an email. You reduce the potential risk if the email is mistakenly sent to the wrong person or intercepted by removing identifiers such as names or medical record numbers.
In addition to encryption, ensure that your email systems are protected by access controls, such as two-factor authentication. Access controls help guarantee that only authorized users can access email systems and prevents unauthorized access if an email is mistakenly forwarded to the wrong address.
Read more: A guide to HIPAA and access controls
One of HIPAA’s requirements is maintaining an audit trail of all PHI disclosures, including email forwards. Implement procedures for tracking email communications, noting who forwarded the email and to whom. Keeping detailed records helps with compliance and provides accountability in the event of a breach.
Employees should be trained on secure email practices, the risks of forwarding emails containing PHI, and how to avoid common mistakes like sending to the wrong recipient or sharing excessive information. One of the primary reasons for email breaches is human error, with at least 85% of data breaches in organizations attributable to individual mistakes. Regular training sessions help keep compliance in mind and reduce the likelihood of human error.
Read more: Mitigating human error in email handling to prevent HIPAA breaches
You can only forward PHI to a non-covered entity if the patient has provided explicit authorization, or the disclosure falls under a HIPAA exception, such as for public health purposes.
Immediately report the incident to your compliance officer, attempt to recall the email if possible, and follow your organization’s breach notification procedures to assess and mitigate the violation.
Yes, forwarding PHI during telehealth is allowed if using HIPAA compliant platforms and secure email systems. All precautions, including encryption and patient consent, must still be followed.