Who Sent the Email
Is the sender of the message subject to HIPAA regulations? In this situation, the sender was a Crozer-Keystone employee, so the answer is yes. But many support group entities are non-profit organizations staffed by volunteers who do not meet the definition of a covered entity or business associate under HIPAA, and so therefore are not subject to HIPAA regulations.
Does the Email Contain PHI
Many times the answer to this question is not so clear cut. In this example, the support group was specifically for bariatric surgery patients, so anyone reading the email can reasonably assume that the recipients had all received bariatric surgery. But, what if the list included anyone who signed up for information related to bariatric surgery at a community health fair? Some people would say the answer is still yes, because people who request information are prospective bariatric surgery candidates. Others would say the answer is no, because simply requesting information does not constitute protected health information.
Did the Recipients Give Permission
The HIPAA Final Rule, published in January, 2013, allows for communication of unencrypted PHI if the recipients have been “duly warned” of the risks but still agree to this method of communication. If this is the case, it’s a good idea for the sender to include a disclaimer in any messages that would otherwise be considered a HIPAA violation, but to which the recipient(s) approved or requested an unencrypted means of communication.
So, while using a secure method of communicating PHI is best practice, not using it isn’t always a HIPAA violation.