Emailing about a colleague's medical condition is a HIPAA violation. Medical information about a colleague is considered protected health information (PHI) under HIPAA, and sharing such information without explicit consent or proper authorization constitutes an unauthorized disclosure. HIPAA mandates that PHI must be protected against unauthorized access and should only be shared with those with a legitimate need to know.
The HHS clarifies that "The Privacy Rule protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” The protection extends to all forms of communication, including email. Under HIPAA, PHI must be safeguarded against unauthorized access and disclosure, which means that any information about a colleague's medical condition falls under these regulations.
Emailing about a colleague's medical condition poses several risks. Medical information about a colleague is considered PHI under HIPAA. Even if the email is intended for internal use, sharing such details without authorization can breach confidentiality.
If an email containing PHI is sent to individuals not involved in the colleague's care or do not have a legitimate need to know, it constitutes an unauthorized disclosure. For instance, discussing a colleague's health status with other employees who are not part of their care team or management team is considered a violation.
Related: What violates HIPAA in email?
Individuals who improperly share PHI can face significant legal and professional repercussions, including fines and disciplinary action. All employees must understand the serious implications of unauthorized disclosures.
Healthcare organizations that fail to adhere to HIPAA regulations could be subjected to audits, fines, and increased scrutiny, which can impact operational efficiency and trust within the community.
Using initials or non-identifying codes can still be problematic if the context reveals the individual's identity. Always seek explicit consent and ensure any communication is necessary and secure.
No, personal email accounts are not secure and do not meet HIPAA compliance standards. Always use your organization's secure, HIPAA compliant email system for any communication involving PHI.
Read more: Why personal email accounts are not HIPAA compliant
Even internal emails containing PHI should be encrypted to protect them from unauthorized access, both in transit and at rest.
Related: What happens to your data when it is encrypted?