Guidance on the Use of Email Containing PHI | Health Insurance Portability and Accountability Act

guidance on the use of email containing phi

Use of Email to Transmit Protected Health Information: Understanding University Policy

sending protected health information (phi) via email exposes phi to two risks:

  • the email could be sent to the wrong person, usually due to a typing error or selecting the wrong name from an autocomplete list.
  • the email could be captured electronically in the road.

hipaa requires that we take reasonable steps to protect against these risks, but recognizes that a balance must be struck between the need to protect phi and the need to ensure that physicians can efficiently exchange important patient care information . the university’s hipaa policy 5123 on electronic communication of health-related information strikes a reasonable balance. the policy imposes a critical security requirement:

You should never send or receive email containing phi from any device that does not meet yale’s minimum security standards. These requirements are outlined in the University’s HIPAA Policy 5100.

In addition, you must continue to observe the following rules:

  • Please limit the information you include in an email to the minimum necessary for your clinical or billing purpose.
  • Whenever possible, avoid transmitting highly sensitive PHI (for example, mental health, substance abuse, or HIV information) via email.
  • never use global auto-forwarding to send email from your email account to a account.
  • never send phi via email unless you have verified the recipient’s address (for example, from a directory or from a previous email) and have checked and verified that you have entered the address correctly.
  • always include a privacy statement that notifies the recipient of email insecurity and provides a contact to whom the recipient can report a misdirected message –

recommended privacy statement –

Please note that email communication may be intercepted in transmission or rerouted. consider communicating any confidential information by phone, fax or mail. The information contained in this message may be privileged and confidential. If this is not the intended recipient, please notify the sender immediately with a copy to and destroy this message.

See Also:  How to forward just one part of an e

You can continue to email phi from one email address to another email address or to a yale-newhaven health system email address (including ynhh .org,, and greenwichhospital .org) as long as you follow the rules above.

You may exchange phi via email outside of or the yale-new haven health system network, as long as you follow the rules above and one of the following applies:

  1. The email is sent to a non-Yale physician, research collaborator, or collaborating institution and contains information urgently needed for patient care and patient identifiers are limited to name, date of birth, medical record number, or telephone number, as applicable necessary.


2. the email is sent to an external physician, research collaborator or collaborating institution and must be transmitted in a timely manner >, and does not contain direct identifiers (patient’s name, address, social security number, date of birth, telephone/fax numbers, or email address) and does not contain highly sensitive information phi (for example, mental health, substance abuse, or hiv-related information).

Note: Less direct identifiers may be included, such as medical record number or initials (for example, “sr.”).


  1. thepatient or research subject has agreed to the use of email by completing a consent form for communication by email (available at: https: //


2. Email is encrypted through a secure messaging system, such as Yale’s Microsoft O365 Instance (formerly known as Yale Connect). For details on how to encrypt email, visit email can also be encrypted using mychart, or yale’s secure file transfer app (

See Also:  Chelsea Manning sounds off against 'transphobic' Elon Musk and 'right-wing' Glenn Greenwald | Daily Mail Online

Note: You should encrypt emails whenever you send sensitive information (ie, hipaa data) to third-party email providers. When you send an email to an outside organization using your Yale email, it is not encrypted unless you add the word encrypt in parentheses to the subject line of a sent email. for example: subject: [encrypt] please check back today. for more details, visit

Note that the circumstances set forth above include different time elements. You may email Phi to non-Yale physicians or collaborators (Circumstances 1 or 2) only if the information needs to be communicated urgently or in a timely manner. there is no punctuality requirement attached to circumstances 3 or 4.


  • These guidelines attempt to minimize the risk of a privacy breach, but do not eliminate that risk.
  • Some university divisions may impose more restrictive limitations on email, and you should be familiar with those restrictions.
  • If you discover that an email with phi has been misdirected, You must immediately report it to the Security Incident Hotline: 203-627-4465

frequently asked questions

Can I send an encrypted email with attachments?

yes. when you encrypt the email by adding [encrypt] to the beginning of the subject line, both the message itself and any attachments are encrypted.

What do I do if a patient sends me an unencrypted email?

Patients can submit their own information in any way they see fit, including via unencrypted email. patient communication is best done through mychart, but we recognize that not all patients use mychart. Before replying to a patient’s email, it is important to verify that the email is actually from the patient. some things to consider:

  • Is the email address the same as the one on file?
  • Does the email contain information that only the patient would know?
See Also:  Government Shutdown: Post Office, Mail, US Postal Service Never Closes

If you have any doubts about the authenticity of the sender, please contact the patient using the phone number on file with epic or use mychart.

When replying to a patient’s unencrypted email, you have several options:

  • reply to the patient on mychart.
  • reply to the patient using encrypted email.
  • review the patient’s chart to see if they have consented to the use unencrypted email. email using the hipaa email authorization form or the hipaa representative form.
  • respond to the patient via unencrypted email without including any phi, including removing any phi previously sent to you by the patient. In your initial response, you might want to confirm that the patient wants to continue sending phi via unencrypted email.
How do I know if a patient has consented to the use of unencrypted email?

The following are indicators that the patient has been made aware of the risks of unencrypted email and has consented to its use:

  • the signed authorization for communication form was scanned into the epic media tab.
  • there is an email address on the patient demographics screen of the patient registry. (Note: Staff members are expected to remind patients of the risks of unencrypted email when requesting email addresses verbally.)
  • The patient indicates in the email that he or she approves of the use of email. unencrypted email.

revision: 12/2020

Leave a Reply

Your email address will not be published. Required fields are marked *