Group Emails and HIPAA, Is it a Violation?

Distribution of Email across network in red
Last week, Crozer-Keystone Health Systems sent a group email to approximately 900 bariatric surgery patients informing them of a support group. Unfortunately, the email was sent with the recipient addresses in the carbon copy field (cc) instead of the blind carbon copy field (bcc). This exposed all email addresses to every recipient. Is this a HIPAA Violation? There are several points to consider when answering the question.

Who Sent the Email

Is the sender of the message subject to HIPAA regulations? In this situation, the sender was a Crozer-Keystone employee, so the answer is yes. But many support group entities are non-profit organizations staffed by volunteers who do not meet the definition of a covered entity or business associate under HIPAA, and so therefore are not subject to HIPAA regulations.

Does the Email Contain PHI

Many times the answer to this question is not so clear cut. In this example, the support group was specifically for bariatric surgery patients, so anyone reading the email can reasonably assume that the recipients had all received bariatric surgery. But, what if the list included anyone who signed up for information related to bariatric surgery at a community health fair? Some people would say the answer is still yes, because people who request information are prospective bariatric surgery candidates. Others would say the answer is no, because simply requesting information does not constitute protected health information.

Did the Recipients Give Permission

The HIPAA Final Rule, published in January, 2013, allows for communication of unencrypted PHI if the recipients have been “duly warned” of the risks but still agree to this method of communication. If this is the case, it’s a good idea for the sender to include a disclaimer in any messages that would otherwise be considered a HIPAA violation, but to which the recipient(s) approved or requested an unencrypted means of communication.

So, while using a secure method of communicating PHI is best practice, not using it isn’t always a HIPAA violation.