In general, email is not considered a secure way to transmit PHI and should not be relied upon when other, more secure forms of communication are usable.
However, if you have a good reason to believe that emailing the data is the only way to transmit it or the only present method of communication, the following must be followed:
- Make sure to only send the PHI to those who really must receive it
- Verify the intended recipient’s correct name and email address(s). Recipient email addresses that are pre-populated should be used with caution
- Leave identifiable information out of the email subject line.
- Include PHI as an attachment if at all possible. When sending PHI in the body of an email, only have the information necessary for the recipient and make sure that any personally identifying information is deleted.
- Limiting program-specific facts in emails to clients should be done whenever they could potentially reveal sensitive information regarding the recipient’s health.
- Include the subject name “Confidential Email” before sending the email.