HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



PHI in e-mail

Email This Post Print This Post

We have experienced several business associates (BAs) sending PHI through unencrypted e-mail. These events range from text in the body of the mail to spread sheets and PDF with volumes of PHI.

The information was sent to the appropriate recipient, but I am concerned that this puts PHI at risk since it was unencrypted.  In the past we have use the “postcard” analogy to say all PHI needs to be encrypted when in transit.

Do others consider this a breach?

David Woodcock

Categories : Provider Posts


  1. Frank Ruelas says:


    Looking at the description and making the assumption that the PHI being emailed is being disclosed appropriate, in other words the applicable authorizations are in place if needed, I can’t see how this would be a breach.

    Advancing your question further, if the email was received by a non recipient, the question of a breach would need to be answered after evaluating the situation to see if the disclosure could result in financial, reputational, or other harm to the individual.


  2. Megan Sopher says:

    Hi David,

    I do not think that scenario would meet the definition of a breach if the e-mail reached the intended recipient and there was no unauthorized interception of the message while it was in transit. However, I do think the practice is risky. If your business associate accidentally selected the incorrect recipient or typed the email address wrong you could have a breach on your hands.

    We set up secure connections with our vendors or request that they use encryption when they send PHI to us via e-mail. Also, our internal policy is that we do not send PHI to external e-mail address either without appropriate encryption.

    – Megan

  3. Jacque Cole says:

    I totally agree with Megan. The use of non-encryption or secured weblink is a risky practice. It is not showing your diligence in the ‘attempt to secure PHI’. I put attempt in quotes because the reality is that we are attempting. If a hacker wants to get your information, they eventually will no matter what you do….the nature of the beast.

    The other thing is to make sure you are following your internal policy. If the person sending the email is not following internal policy, then education and reporting to your Privacy/Security Officer would be necessary. And it would then be a breach based on your internal policy compliance.


  4. Adam Bullock says:

    Hi David,

    We just had a recent question, and I’ll provide the same link:


    What does this answer say? If deemed an appropriate safeguard, than email encryption should be used.

    It can also be a good idea to give that feeling of safety and security to your clients. With that said, do your research and make sure you select an email encryption service that:

    1) Is easy to use.
    2) Requires no hardware/software to download.

    – Adam

  5. John King says:

    While not a breach if the email reaches the intended recipient, the practice is a violation of HITECH intent to secure PHI in transit. One missed key stroke and you most likely have a breach. How would you know for sure? That is the point. Your internal policies and procedures should reflect that no PHI is transmitted in the email body and that attachments are encrypted. You’ll rest easier and demonstrate that your intent was to be secure, a win-win.

  6. Frank Ruelas says:


    Let’s be clear. The practice of sending an email that contains unencryped PHI is not a breach of HITECH Act’s intent to secure PHI in transit.

    If you believe so, please provide more info as this is certainly not anywhere within the HITECH Act text.

    Understand I am not challenging your logic or statement but just making sure that we are all using the same body of work to formulate our responses. Now if your interpretation is that this practice would be a violation, so be it as this would be your opinion which I totally accept and respect. Whether I agree or not is another matter.

    Many thanks,

Leave a Reply