This is the most debatable topic since the changes were enacted in the Health Insurance Portability & Accountability act in 2013. Particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant.
There are few things which need to be keep in mind like HIPAA email rule always require covered entities to implement access control, integrity control, ID authentication & transmission security have to be fulfilled in order to Restrict all the access of PHI.
Need to monitor how PHI is communicated. Have to ensure that Integrity of PHI at rest. Ensure 100% message accountability & have to protect PHI from unauthorized access during transit.
Most of the HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. Although, HIPAA email rules always do not just cover encryption.
Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.
Moreover some required functions are like such as creation of an audit trail and preventing the improper modification of PHI is complex to resolve.
So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email. HIPAA compliance for email is not always essential if an organization has an internal email network protected by a proper firewall.
HIPAA regulations for email do not ban sending ePHI by email, there’s still an issue of how to send emails and remain HIPAA compliant.
Although the new regulation considered the sending of ePHI by email an “addressable” code, it was not proposed to be an “optional” consideration – somewhat one which had to be obeyed with if organizations were to avoid undecorated financial penalties from a breach of ePHI.
Is it a HIPAA Violation to Email Patient Names?
It is not a violation to email patient names but the name and other PHI should not be included in the subject lines of an email. The reason behind this is that if the name will be included in the subject lines, it could be easily viewed by unauthorized individuals. Other reason is that while email messages are protected with encryption in transit, to and from field are often not encrypted which could lead to a data breach.