If emails from patients contain too much PHI, acknowledge the email securely using a HIPAA compliant system, avoid replying with additional sensitive information, and educate the patient about using secure communication methods. Encourage patients to limit PHI in future emails and ensure your staff is trained to handle situations appropriately by documenting information securely and adhering to internal HIPAA compliant policies.
A study assessing the attitudes and perspectives of email between patient and providers stated, “Email between patients and their health care providers can serve as a continuous and collaborative forum to improve access to care, enhance convenience of communication, reduce administrative costs and missed appointments, and improve satisfaction with the patient-provider relationship.”
HIPAA allows patients to initiate communication with their healthcare providers via email but places the responsibility on organizations to ensure that the PHI they receive is protected. PHI can be protected by using HIPAA compliant email systems and limiting the amount of PHI shared when responding. While patients may send detailed medical information, providers must still uphold the "minimum necessary" rule to minimize the risk of exposing sensitive data.
When patients send emails containing excessive PHI it increases the risk of unauthorized access or exposure. Regular, unencrypted email is vulnerable to interception, making sensitive information like diagnoses, treatment details, or personal identification potentially accessible to unintended recipients. Mishandling such emails can result in breaches, non-compliance penalties, and loss of patient trust.
Related: Are emails a risk for breaches?
If an organization receives an email from a patient containing too much PHI, the first step is to acknowledge it securely. Avoid replying directly via unencrypted email systems. Instead, use a HIPAA compliant email platform like Paubox to respond, confirming receipt and notifying the patient about alternative ways to communicate securely.
Many patients may not realize the risks of sharing sensitive health information over email. Educate them on secure communication methods. Consider guiding patients on using encrypted email platforms designed for the safe exchange of medical information, or HIPAA compliant text messaging systems.
Providing patients with clear instructions on using secure channels will reduce the likelihood of them sending excessive PHI via regular email in the future.
When communicating with patients via email, encourage them to limit the amount of PHI they share. Suggest using general terms rather than detailed medical information. For example, instead of discussing specifics about treatment or conditions, patients can ask about appointment scheduling or request a callback for more detailed conversations.
Reinforce the "minimum necessary" rule, which helps minimize the exposure of sensitive information.
Read more: A guide to HIPAA's minimum necessary standard
Healthcare organizations must train their staff to handle emails containing too much PHI. Staff should know the policies for securing PHI, such as transferring sensitive email contents to secure patient records and avoiding forwarding emails with PHI over unsecured systems.
If your organization uses a third-party email provider, have a business associate agreement (BAA). A BAA ensures that the provider adheres to HIPAA rules and is responsible for protecting the PHI they handle. Without a BAA, the provider may not be HIPAA compliant, potentially leading to privacy breaches.
Yes, a patient's email address is considered PHI when it is linked to their health information. Therefore, even basic communication must be handled securely if it references their health status or care.
No, healthcare organizations should not delete these emails. Instead, they should securely transfer the relevant information to the patient’s medical record and follow HIPAA compliant retention policies.
Healthcare organizations must obtain patient consent before sending emails containing PHI, and they should document this consent to ensure compliance with HIPAA’s privacy and security rules.
Related: How to get consent for texting and emailing patients