HIPAA Violation Email Example: What Not to Send—and a Compliant Template

HIPAA Violation Email Content

When you report or discuss a potential incident by email, your goal is to alert the right people without creating a new privacy problem. Keep the message high level and exclude protected health information (PHI) to preserve privacy rule compliance.

What to include (safe, minimal, actionable)

• Plain-language summary of the event without PHI (e.g., “email misdirected to outside address”).
• Date/time, system or workflow involved, and a unique incident ID instead of names or MRNs.
• Whether an unauthorized disclosure may have occurred and if data was retrievable or recalled.
• Immediate containment steps taken and specific help you need from recipients.
• Direction to continue on a secure channel (ticketing system, patient portal, or phone).
• Response deadline and single point of contact.

What not to include (prohibited or risky)

• Identifiers linked to health data: names, initials, addresses, phone numbers, emails, MRNs, account/claim numbers, photos.
• Clinical details: diagnoses, lab values, medications, imaging, visit notes, discharge summaries.
• Attachments or screenshots containing ePHI; links exposing unprotected documents.
• Breach notification text to broad audiences before the privacy team reviews facts.
• Speculation, blame, passwords, or vendor keys that could weaken PHI safeguards.

Non-compliant Email Risks

Sending PHI in plain email can turn a small mistake into a larger incident. It expands who viewed the data, complicates containment, and may trigger breach notification obligations.

• Regulatory exposure: civil HIPAA penalties, corrective action plans, and in egregious cases criminal liability.
• Operational impact: bigger investigations, forensics, eDiscovery, and required retraining that strains staff time.
• Contractual risk: violations of BAAs and downstream indemnity or termination clauses with partners.
• Reputational harm: loss of patient trust and negative media attention.
• Security fallout: auto-forwarding, mailbox backups, and reply-all chains preserve unauthorized disclosure.

Compliant Email Practices

Before you write

• Decide if email is necessary; prefer secure portals or incident systems for details.
• Apply the minimum necessary standard—assume no PHI belongs in email.
• Verify authorized recipients; use tightly controlled role-based lists and prefer BCC over CC.

Subject line

• Use neutral, non-identifying text, e.g., “Privacy Incident—Internal Review [Incident ID].”

Body

• State facts at a high level with no PHI; reference the incident ID, not patient data.
• Outline next steps, owners, and timelines to drive action.
• Direct recipients to a secure channel for details and enforce email security protocols.

Sending and follow-up

• Use encryption if any sensitive administrative data appears; never attach PHI.
• Disable external auto-forwarding and confirm reply-to recipients before sending.
• Document actions in the ticket to satisfy audit needs and maintain privacy rule compliance.

Example of Non-compliant Email

This illustration shows what not to send. It contains multiple violations and is for training only.

Subject: Patient Jane Doe - Diabetes Dx & Lab Error

To: allstaff@[org]
Cc: billing@[vendor]

Hi team,
I accidentally emailed Jane Doe (DOB 02/03/1980, MRN 123456) her latest A1C (8.9%) and insulin changes.
The attachment includes her full chart notes and insurance ID 9999-8888-7777.
Can someone call her and update the diagnosis? Also loop in Dr. Smith and her spouse at [spouse email].

– Alex

Why this violates HIPAA

• Reveals protected health information: name, DOB, MRN, diagnosis, lab values, and insurance ID.
• Shares PHI with unauthorized recipients and broad lists—an unauthorized disclosure.
• Attaches ePHI and invites further forwarding, compounding exposure.
• Increases the scope and cost of potential breach notification and remediation.

Example of Compliant Email

Use a concise, PHI-free notice that redirects details to a secure channel. This supports PHI safeguards and streamlines response.

Internal incident-notification template (no PHI)

Subject: Privacy Incident—Internal Review [Incident ID: ####]

To: privacy@[yourorg]; security@[yourorg]
Bcc: [need-to-know leader only]

Team,
A potential privacy event occurred on [date/time]. The message may have reached an unintended recipient.
No PHI details are included in this email.

Requested actions:
• Acknowledge receipt.
• Join secure channel [ticket/IR system/portal] for details.
• Advise on containment and next steps.

Point of contact: [name, role, phone].
– [sender]

Patient-facing notification coordination (preliminary, no PHI)

Subject: Important Message From [Organization]

Hello [First Name],
We need to discuss a privacy matter regarding your records. For your protection, we won’t include details by email.
Please sign in to your secure patient portal or call us at [phone] to continue.

Thank you,
[Organization Privacy Office]

Notes for compliant sending

• Keep all PHI out of email; move specifics to approved secure systems.
• Use incident IDs or one-time codes, never names-plus-condition pairs.
• Enable encryption and DLP rules as part of your email security protocols.
• Document containment and decisions to aid any required breach notification and reduce HIPAA penalties.

Summary

A strong HIPAA violation email avoids PHI, limits recipients, and redirects details to secure channels. These practices reduce unauthorized disclosure risk, uphold privacy rule compliance, and prepare your team to act quickly and correctly.

FAQs.

What information is prohibited in a HIPAA violation email?

Any protected health information about an identifiable person is off-limits—names, contact data, MRNs, images, diagnoses, lab values, medications, insurance and billing numbers, or screenshots/attachments with ePHI. Avoid anything that could identify a patient when combined with health details.

How can organizations ensure email compliance with HIPAA?

Use standard templates, enforce the minimum necessary rule, and route details through secure portals or tickets. Add technical controls—encryption, DLP, restricted lists—and train staff so messages follow privacy rule compliance and documented procedures.

What are the consequences of a HIPAA violation email?

Expect investigation, containment work, and possible breach notification to affected individuals and regulators. Organizations face civil HIPAA penalties, potential criminal exposure in willful cases, contractual liabilities, and reputational harm.