HIPAA – Health plans and healthcare providers using e-mail to exchange PHI

Health plans and healthcare providers are increasingly using e-mail to exchange PHI. A HIPAA question raised was “Can a health plan disclose information (e.g., name, diagnosis, and admit dates) to network physicians when the members are admitted to an acute care setting via e-mail sent through Microsoft Outlook? What precautions should the health plan take? Is sending the PHI via a password-protected Excel spreadsheet secure?”

A health plan can use Microsoft Outlook to exchange PHI with network physicians, but only if it also uses a secure messaging application or appliance connected to the e-mail server. The HIPAA security rule listed the encryption of PHI transmissions as addressable when the rule was published in 2003, partially because the technology was not considered mature. This is no longer true.

At this point in time, it would be difficult for a health plan to justify not encrypting e-mail containing PHI. Interoperability and cost, often cited as reasons not to encrypt e-mail, are no longer factors.

There are solutions on the market that fit the budgets of organizations of all sizes and only require e-mail recipients to have Internet access and an e-mail account. Covered entities of all types should take precautions when e-mailing PHI. This includes implementing a secure messaging solution prior to sending PHI via e-mail. A password-protected Excel spreadsheet does provide some additional security.

However, even when you communicate passwords separately from the spreadsheet, hackers can still crack the password fairly easily. Also, password-protected spreadsheets, documents, and databases do not provide the same level of security as encryption.


Have questions? I’m here to help.

This field is for validation purposes and should be left unchanged.