In December 2023, OCR settled with a healthcare system for $480,000 after an investigation revealed workforce members had been emailing unencrypted patient information to personal email accounts for years. The organization argued the emails were "just scheduling details" — but those details included patient names, dates of birth, and appointment types. If your organization uses email in any clinical or administrative workflow, you need a clear answer to the question: is email PHI under HIPAA?

Is Email PHI, or Is It the Content That Matters?

Email itself is not automatically PHI. An email becomes protected health information when it contains individually identifiable health information — any data that relates to a patient's health condition, treatment, or payment and can be linked to a specific person. A blank email or a staff scheduling message with no patient data is not PHI.

But here's where covered entities get tripped up: PHI is broader than most people assume. Under the Privacy Rule (45 CFR §164.501), protected health information includes demographic data, billing codes, appointment details, and even a patient's name combined with the name of their provider or clinic. An email reading "John Smith's MRI results are ready" is PHI — full stop.

The critical question isn't whether email is PHI. It's whether the email contains PHI. And in healthcare operations, the answer is almost always yes.

The 18 Identifiers That Turn Any Email into PHI

HIPAA's de-identification standard under 45 CFR §164.514 lists 18 identifiers. When any of these appear alongside health information in an email, that message is PHI and must be protected accordingly:

  • Patient names
  • Dates (birth, admission, discharge, death)
  • Phone and fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Any other unique identifying number or code

In my work with covered entities, I consistently see organizations underestimate how many of these identifiers appear in routine email. Referral requests, lab notifications, appointment reminders, and billing inquiries almost always contain at least two or three identifiers.

What the HIPAA Security Rule Requires for Email Containing PHI

Once you establish that an email contains PHI, the Security Rule (45 CFR Part 164, Subpart C) imposes specific obligations. Your organization must implement technical safeguards to protect electronic PHI (ePHI) in transit — and email is one of the most common transmission vectors.

The Security Rule requires you to address encryption as part of your risk analysis. While HHS has classified encryption as an "addressable" specification under §164.312(e)(1), that does not mean optional. It means you must either encrypt email containing PHI or document why an equivalent alternative safeguard is reasonable and appropriate. In practice, OCR enforcement actions have made clear that unencrypted email containing PHI is one of the fastest paths to a HIPAA violation.

Beyond encryption, your organization must also implement access controls, audit controls, and transmission security measures for any email system that handles PHI.

HHS guidance from 2013 (reaffirmed in subsequent FAQ updates) permits covered entities to communicate with patients via unencrypted email — but only after informing the patient of the risks and obtaining their consent. This is not a blanket permission to email PHI freely.

Your Notice of Privacy Practices should address electronic communications. And the consent should be documented, not assumed. Telling a patient "we'll email you your results" without explaining that standard email is not secure does not satisfy HIPAA's requirements.

This exception applies only to patient-directed communications. It does not apply to emails between workforce members, emails to business associates, or emails to other covered entities. Those transmissions must meet full Security Rule standards.

Common Email Scenarios That Create Risk

Healthcare organizations consistently struggle with these email-related compliance gaps:

  • Forwarding PHI to personal accounts: Staff emailing patient data to Gmail, Yahoo, or other personal accounts to "work from home" is a Security Rule violation.
  • CC'ing the wrong recipient: Misdirected emails containing PHI constitute a breach under the Breach Notification Rule (45 CFR §§164.400-414) if they involve more than 500 individuals or meet the risk assessment threshold.
  • Using email subject lines with PHI: Subject lines are not encrypted even in many "secure email" solutions. Placing a patient name or condition in a subject line can expose PHI.
  • Auto-forwarding rules: Workforce members who set up auto-forwarding to external accounts create an uncontrolled ePHI disclosure pathway.

The Minimum Necessary Standard Applies to Every Email

Even when your email is encrypted and your systems are properly configured, the Privacy Rule's minimum necessary standard under §164.502(b) still applies. Every email containing PHI should include only the information needed to accomplish the purpose of the communication.

Sending an entire patient chart via email when only a lab value was requested violates this standard. Your workforce needs to understand that HIPAA compliance is not just about how you send information — it's about how much you send.

Build Email Compliance into Your Workforce Training Program

OCR has repeatedly emphasized that workforce training failures are a root cause of email-related HIPAA violations. Under §164.530(b), covered entities must train all workforce members on policies and procedures related to PHI — and that includes email handling.

Your training program should cover when email may contain PHI, how to use your organization's secure email tools, what to do when an email is misdirected, and how the minimum necessary standard applies to electronic communications. A comprehensive HIPAA training and certification program gives your workforce the specific, scenario-based education they need to handle email correctly.

If your organization hasn't updated its email policies or training materials in the past 12 months, you're likely operating with gaps that OCR would flag during an investigation.

Take Action Before an Email Becomes a Breach

The question "is email PHI" is one your entire workforce should be able to answer confidently. Every staff member who touches email — from front desk coordinators to physicians — needs to understand what makes an email PHI, when encryption is required, and what the consequences are for mishandling electronic protected health information.

Start by conducting a focused risk analysis on your email workflows. Identify where PHI enters email, who has access, and whether your current safeguards meet Security Rule requirements. Then ensure every workforce member completes up-to-date training through a platform like HIPAA Certify's workforce compliance program that addresses real-world email scenarios — not just abstract policy language.

Email is not going away in healthcare. But with the right safeguards, policies, and training, it doesn't have to be your organization's biggest compliance liability.