Is Email PHI? What HIPAA Says, Examples, and Compliance Tips

Email and PHI

Email can contain Protected Health Information (PHI) whenever it includes an identifier plus details related to a person’s health, care, or payment. Because email is fast and familiar, it’s easy to expose ePHI in subject lines, message bodies, headers, or attachments without realizing it.

What counts as PHI in email

• Appointment reminders that include a patient’s name and the clinic or condition.
• Care instructions, lab results, claims data, member IDs, or invoices tied to an individual.
• Referral details that reveal a diagnosis or provider relationship.
• Attachments (PDFs, images, EOBs) that contain identifiers.

By contrast, general wellness tips sent to a broad audience without identifiers are not PHI. If information is fully de-identified (no direct identifiers and no reasonable basis to re-identify), it is not PHI.

Risk scenarios to avoid

• Putting diagnoses, MRNs, or full names in subject lines or calendar invites.
• Forwarding PHI to external addresses without safeguards or approval.
• Replying to patients from consumer email platforms that lack protections.

Email Address as PHI

An email address alone is not always PHI. Context determines its status. When an email address appears within a covered entity’s records and relates to treatment, payment, or operations—or is part of the Designated Record Set (DRS)—it becomes PHI because it identifies the individual within a healthcare context.

When an email address is PHI

• It’s stored in a patient chart, patient portal account, or DRS.
• It’s combined with health details (e.g., “john@example.com — positive strep test”).
• It implies a condition or provider relationship (e.g., “jane@hivclinicpatients.org”).

When an email address is not PHI

• It’s collected outside any healthcare context and not linked to health information.
• It’s used in a fully de-identified dataset with no other identifiers.

Treat patient contact details as PHI when they live in systems used for care or payment, or when they can reasonably reveal a healthcare relationship.

HIPAA Compliance for Email

HIPAA allows email, but you must manage risk. Your program should be documented, consistently followed, and regularly reviewed. Use the “minimum necessary” standard and avoid PHI in subject lines or auto-replies.

Action plan

• Perform a risk analysis of email workflows, devices, and vendors; update after changes.
• Define policies for when and how to email PHI, including patient preferences and verification steps.
• Train staff on identifiers, phishing, and secure handling of attachments.
• Implement safeguards: encryption, access controls, audit logging, and incident response.
• Limit content to the minimum necessary and prefer secure portals for sensitive details.
• Ensure emails that form part of the Designated Record Set are captured and retrievable.

Document decisions where HIPAA’s Security Rule offers “addressable” implementation specifications (such as certain encryption controls). If you choose alternatives, justify them and mitigate risk.

Business Associate Agreement for Email Providers

If an email service can access, transmit, or store PHI, you need a Business Associate Agreement (BAA) before using it. Without a BAA, do not put PHI in that system.

What your BAA should cover

• Permitted uses and disclosures of PHI and prohibition on unauthorized uses.
• Administrative, physical, and technical safeguards aligned with HIPAA.
• Breach reporting obligations (including notification without unreasonable delay and no later than 60 days after discovery).
• Subcontractor management: business associate must flow down the same protections.
• PHI return or destruction at termination and rights to audit or obtain attestations.

Verify capabilities before signing: forced TLS, AES Encryption at rest, logging, role-based administration, retention controls, and reliable support for eDiscovery and legal holds.

Encryption Standards for Email

HIPAA does not mandate one specific algorithm, but strong, standards-based encryption is the norm. Align choices with NIST-recommended practices and your risk analysis.

In transit

• Use Transport Layer Security (TLS) 1.2 or higher; prefer TLS 1.3; enforce “TLS-only” to external domains when possible.
• Fail closed to a secure message portal or on-demand password-protected delivery if TLS is unavailable.
• For high-sensitivity use cases, consider end-to-end options such as S/MIME or OpenPGP.

At rest

• Encrypt mailboxes, archives, and mobile devices using AES Encryption (commonly AES‑256) with strong key management.
• Use FIPS 140-2/140-3 validated cryptographic modules where feasible.

Practical tips

• Keep PHI out of subject lines and meeting invites; subject lines can surface in notifications.
• Harden SMTP: disable outdated ciphers, require perfect forward secrecy, and monitor TLS failures.
• Use DLP rules to auto-encrypt or block messages that contain identifiers.

Access Controls in Email Communication

Strong access controls reduce the risk of unauthorized access to ePHI. Combine identity assurance, least privilege, and continuous monitoring.

Core controls

• Role-Based Access Control (RBAC) to limit who can send, receive, and archive PHI.
• Multi-Factor Authentication (MFA), ideally phishing-resistant (e.g., security keys) for admins and staff.
• Account lifecycle management with prompt deprovisioning and periodic access reviews.
• Device protections: disk encryption, screen locks, MDM/remote wipe, and prohibited local forwarding.
• Logging and audit trails for message access, policy overrides, and admin actions.

Operational safeguards

• Approved shared mailboxes for care teams with clear ownership and monitoring.
• Outbound address verification, sender authentication, and banner warnings on external mail.
• Regular phishing simulations and secure handling of message recalls and bounces.

Email Retention and Patient Consent

Retention is about what you keep, where, and for how long. HIPAA requires you to retain required documentation for six years, but it does not set a universal medical record retention period. Align email retention with your medical record policy, state law, payer contracts, and litigation holds.

Retention practices

• Journal or archive emails that are part of the Designated Record Set so you can produce them on request.
• Apply defensible retention schedules (e.g., by folder, label, or DLP classification) and automate disposition.
• Protect archives with encryption, RBAC, MFA, and tamper-evident logging.

Patient consent and preferences

• You may email PHI for treatment, payment, and operations with appropriate safeguards.
• If a patient requests unencrypted email, you may honor the request after warning them of the risks; document their preference.
• Obtain written authorization for marketing uses that fall outside treatment or care coordination.
• Confirm addresses before sending and avoid auto-including PHI in replies or forwarding chains.

Key takeaways

• Email can be HIPAA-compliant when you manage risk, use strong encryption, and control access.
• An email address becomes PHI when it resides in the DRS or reveals a healthcare relationship.
• Secure vendors under a Business Associate Agreement and enforce TLS and AES-based protections.
• Retain and produce emails that belong in the Designated Record Set; follow documented schedules.

FAQs.

What makes an email contain PHI?

An email contains PHI when it includes an identifier (such as a name, email address, member ID, or other direct identifier) plus information related to a person’s health, care, or payment—or when it resides in the Designated Record Set maintained by a covered entity or business associate.

Is it HIPAA-compliant to use personal email accounts for PHI?

Generally no. Consumer accounts that do not provide a Business Associate Agreement and lack enterprise safeguards should not store or transmit PHI. Use an approved email system under a signed BAA with encryption, access controls, and retention capabilities.

What encryption is required for sending PHI via email?

HIPAA is risk-based and does not mandate a single algorithm. In practice, enforce Transport Layer Security (TLS) 1.2+ for messages in transit, fall back to a secure portal when TLS is unavailable, and use AES Encryption (commonly AES‑256) for data at rest. For highly sensitive data, consider end-to-end options like S/MIME.

How long must emails containing PHI be retained?

HIPAA requires retention of required documentation for six years but does not prescribe one medical record retention period. Retain emails that form part of the Designated Record Set according to your medical record policy and state law, and preserve them under any legal hold or contract requirement.