Skip to main content

Emailing with PHI/PII: Navigating the HIPAA Landscape in the Information Technology Age

Written by: Kelly Buckman

Those of us working in the field of Healthcare IT are often intimately familiar with HIPAA regulations and their impact on our day to day operations.  But in the course of working to resolve problems for our customers, how often do we really think about the pitfalls of sharing healthcare related information amongst ourselves and others? Usually, this takes the form of screenshots, samples of reports, data files, etc. I can’t count the number of times I’ve emailed a screenshot of a software-created object to one or more of my co-workers in the course of collaborating on an issue (“Have you seen this before?”), or a customer contact to triumphantly demonstrate that I’ve resolved their data or server-related issue. (“Look, it’s fixed.  You’re welcome!”)

But very often, the data transferred back and forth contains PHI (Protected Health Information) or PI/PII (Personal Information/Personally Identifiable Information) such as name, address telephone number, social security codes, birth dates, other information that constitutes a HIPAA violation if shared without being protected. This is obviously a concern for healthcare providers, and should be for those who support them as well.

The Office of Civil Rights (OCR) of the Department of Health and Human Services states that “The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”

The standard for transmission security (§ 164.312(e)) also states that “the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
This tells us that the protection of PHI/PII is not only advisable, it’s mandated. So how can we protect the information we share with others?”
One way we in Healthcare IT risk violating HIPAA regulations is through email. Some basic guidelines to remain HIPAA compliant while effectively communicating with clients:
  • Before hitting ‘send’ on any email, make sure that the message is addressed to the correct recipients. Follow the principle of ‘less is more’, that is, send to the least number of people necessary, only those who need to know or can benefit from the information in the email.
  • If you’re including attachments, make sure that the correct attachments are included, and that they support the message you’re sending.
  • Encrypt the message by using the prefix Secure: in the email subject line. The process will usually be transparent to both the sender and receiver of the message. If the recipient’s email system doesn’t support encryption, the recipient will be redirected to a link to retrieve the message. Remember to use encryption on ANY electronic device you use to transmit sensitive data. Other ways to encrypt email:
  1. use a secure messaging application, such as Cisco Registered Envelope Service (CRES)
  2. Use WinZip to send files encrypted; Send the password to unlock the WinZip file in a separate email.

When dealing with PHI/PII, it is advisable to include a confidentiality notice in your email signature.  The following is the standard wording:

Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

While including a disclaimer at the end of your email message is important, it’s worth noting that the disclaimer does not in and of itself satisfy the requirement to send electronic PHI securely.

Just as important as protecting PHI and PII data while in transit is disposing of it when it is no longer needed.  It’s advisable to contract with a company to completely destroy electronic PHI/PII. You should also delete sensitive data from currently used drives and from Recycle Bins, securely wipe drives you no longer need, and avoid using external storage media (scan drives, CD’s, etc.).
If you use Instant Messaging to communicate with others in your organization, you shouldn’t save Skype for Business/Lync call logs. To disable this option:
  1. In Skype for Business/Lync, in the upper right corner, click the ‘Options’ (gear) icon
  2. From the menu on the left, select ‘Personal’
  3. Uncheck the box next to “Save call logs in my email Conversation History folder”
  4. Click ‘OK’
Lastly, if you must email attachments containing PHI or PII, you should use documentation software that allows you to black out or redact sensitive data. Adobe Acrobat is one application that contains redacting tools. If you choose to do this, be sure to use redacting tools that make it impossible to reverse.
In summary, if you must send PHI or PII electronically, don’t fear; you can avoid HIPAA violations by taking precautions and using a bit of common sense. In the end, your clients, and your employer will thank you.

Kelly Buckman is a healthcare IT expert and field expert blogger for Barracuda Consulting.
Kelly has almost a decade of experience as a Technical Support Engineer/ Analyst in the field of Healthcare IT, over 20 years in IT Support, and several years of experience in Project Management. She has a B.A. from Mount Holyoke, Masters degree from UMass Amherst, and lists her skills as the ability to analyze and resolve various types of application, server and network issues, and to communicate complex ideas effectively.
She is also the mother of 3 sons, ages 19, 17, and 11, lives in western Massachusetts, and enjoys solving puzzles, reading, and travelling.
Please leave your questions or comments below. Or, if you would like to employ our healthcare IT compliance services, or would like more information about HIPAA, PHI, IT security or any other related topic please contact us.


  1. Interesting read. Encrytpion by typing "Secure:" in the subject line of an email I had never heard of...does this work only on company internal emails?


Post a Comment

Popular posts from this blog

Good Deals in Georgia: Tbilisi Real Estate

Written By: Jacquelyn Annete García Vadnais

A Brief History of Georgia

Historically speaking, Georgia has always been in a unique position in the world due to its location of being in the middle of major empires and powerful countries throughout history. Georgia has been the subject of conflict between Turkey, Persia, and Russia prior to the 19th century. Georgia was then annexed by Russia in the 19th century and became a part of the Soviet Union. Georgia was a part of the Soviet Union until it eventually became an independent state in 1991.

Additionally, Georgia has a long history of religious harmony between the majority Eastern Orthodox Christian denomination and the Muslim community, which comprises the second largest religious community of Georgia. This along with the peaceful co-existence of several other religious minority groups, adds much to the history, culture, architecture of the nation.

Finally, due to Georgia’s diverse history, it has a sensational mixture of cuisine…

Mercantilism in Marrakech, Morocco

Written By: Jacquelyn Annete García Vadnais

Morocco has been a country that has had a unique history that has attracted both expats and tourists from around the globe. Recently, there has been a trend to invest in real estate in Morocco. The reason for this is that Morocco has seen a great increase in tourism and desire to learn about Morocco’s fantastic culture. One of the aspects that makes Morocco incredible is the fact that Spanish, French, and Arabic are all spoken within the country due to its diverse history. In addition, due to Morocco’s close proximity to Spain, it shares many cultural and historical links to Southern Spain making it a very popular tourist destination to add on to a trip to Spain via ferry.

In terms ofwhere to invest in Morocco, Marrakech is suspected to have an increase in tourism, which has prompted residential apartments to become appealing investments with the surge of tourists wanting alternative accommodation options rather than traditional hotels. If y…

The New Frontier: Virtual Reality and Healthcare IT

Written By: Kelly Buckman

What do you think of when you hear the term ‘Virtual Reality’? Do you think of the next big thing in the world of gaming? Or maybe a way of relaxing and tuning out the hectic world of the 21st century? Beyond recreational use, perhaps you’re aware that VR is used by NASA scientists to simulate a walk on Mars to prepare astronauts for a possible landing, and by educators to educate parents and teachers about distracted driving and enhance cognitive learning. In fact, the market for Virtual Reality (VR) and Augmented Reality (AR) is projected to reach $160 billion by 2020. *

There is one use in particular for VR that has shown a lot of promise in recent years, namely, enhancing patient healthcare. In fact, the healthcare industry is finding virtual reality to be an effective tool for not only diagnostics, but also for treating patients, medical training, and patient education.

Diagnostics and Prevention

VR simulations use diagnostic images from CAT scans or ult…