What to do when patient emails contain too much PHI

If emails from patients contain too much PHI, acknowledge the email securely using a HIPAA compliant system, avoid replying with additional sensitive information, and educate the patient about using secure communication methods. Encourage patients to limit PHI in future emails and ensure your staff is trained to handle situations appropriately by documenting information securely and adhering to internal HIPAA compliant policies.

HIPAA and patient email communication

A study assessing the attitudes and perspectives of email between patient and providers stated, “Email between patients and their health care providers can serve as a continuous and collaborative forum to improve access to care, enhance convenience of communication, reduce administrative costs and missed appointments, and improve satisfaction with the patient-provider relationship.”

HIPAA allows patients to initiate communication with their healthcare providers via email but places the responsibility on organizations to ensure that the PHI they receive is protected. PHI can be protected by using HIPAA compliant email systems and limiting the amount of PHI shared when responding. While patients may send detailed medical information, providers must still uphold the "minimum necessary" rule to minimize the risk of exposing sensitive data.

Common risks of excessive PHI in patient emails

When patients send emails containing excessive PHI it increases the risk of unauthorized access or exposure. Regular, unencrypted email is vulnerable to interception, making sensitive information like diagnoses, treatment details, or personal identification potentially accessible to unintended recipients. Mishandling such emails can result in breaches, non-compliance penalties, and loss of patient trust.

Related: Are emails a risk for breaches?

What to do when you receive patient emails with excessive PHI

Acknowledge and respond securely

If an organization receives an email from a patient containing too much PHI, the first step is to acknowledge it securely. Avoid replying directly via unencrypted email systems. Instead, use a HIPAA compliant email platform like Paubox to respond, confirming receipt and notifying the patient about alternative ways to communicate securely. 

Educate patients on secure communication

Many patients may not realize the risks of sharing sensitive health information over email. Educate them on secure communication methods. Consider guiding patients on using encrypted email platforms designed for the safe exchange of medical information, or HIPAA compliant text messaging systems.

Providing patients with clear instructions on using secure channels will reduce the likelihood of them sending excessive PHI via regular email in the future. 

Limiting future email exchanges with PHI

When communicating with patients via email, encourage them to limit the amount of PHI they share. Suggest using general terms rather than detailed medical information. For example, instead of discussing specifics about treatment or conditions, patients can ask about appointment scheduling or request a callback for more detailed conversations.

Reinforce the "minimum necessary" rule, which helps minimize the exposure of sensitive information. 

Read more: A guide to HIPAA's minimum necessary standard

Handling PHI internally

Healthcare organizations must train their staff to handle emails containing too much PHI. Staff should know the policies for securing PHI, such as transferring sensitive email contents to secure patient records and avoiding forwarding emails with PHI over unsecured systems.

Business associate agreements (BAAs) and third-party email providers

If your organization uses a third-party email provider, have a business associate agreement (BAA). A BAA ensures that the provider adheres to HIPAA rules and is responsible for protecting the PHI they handle. Without a BAA, the provider may not be HIPAA compliant, potentially leading to privacy breaches.

Best practices for email security and HIPAA compliance

• Use encryption for all email communications containing PHI to protect sensitive information.
• Enable multi-factor authentication to secure access to email systems and prevent unauthorized access.
• Use HIPAA compliant email platforms with built-in security features for sending and receiving PHI.
• Conduct regular audits of email communication processes to identify vulnerabilities and ensure compliance.
• Provide ongoing staff training on HIPAA compliant email practices, including recognizing and properly handling PHI.
• Ensure patients are informed about secure communication methods and the risks of unprotected email exchanges.

FAQs

Can a patient’s email itself be considered PHI under HIPAA?

Yes, a patient's email address is considered PHI when it is linked to their health information. Therefore, even basic communication must be handled securely if it references their health status or care.

Should I automatically delete emails with excessive PHI?

No, healthcare organizations should not delete these emails. Instead, they should securely transfer the relevant information to the patient’s medical record and follow HIPAA compliant retention policies.

Is patient consent required for healthcare organizations to send responses containing PHI via email?

Healthcare organizations must obtain patient consent before sending emails containing PHI, and they should document this consent to ensure compliance with HIPAA’s privacy and security rules.

Related: How to get consent for texting and emailing patients