4.1.F HIPAA/Privacy: General Rules - Emailing PHI Policy


    To establish policy and procedure for transmission of PHI via email or other means of electronic transfer, to comply with HIPAA and its accompanying regulations, and to protect the confidentiality and integrity of PHI as required by State and Federal law, professional ethics and accreditation agencies


    LHCC prohibits email to patients and/or other parties, unless properly encrypted software has been utilized. Please check with the IT supervisor, Kayla Stokes for this software.


    Users of email have the capacity to forward, print and circulate any message, therefore, users should utilize discretion and confidentiality protections, and encryption.

    PHI received or transmitted via email must be protected. Printers must be operated in a secure manner to protect information confidentiality. There are two types of email communication utilized by LHCC, traditional email and direct email.

    Traditional Email: Traditional email (e.g. gmail, yahoo mail, or company email) communication systems are NOT inherently secure. Mail sent via the internet or other external systems can be intercepted and read by individuals other than the intended recipient. Even internal email may make its way to the internet.  Therefore, when email is used for communication of confidential or sensitive information, specific measures must be take to safeguard the confidentiality of the information. Specific safeguards are as follows:

    • The recipient address should be confirmed
    • ALL electronic communications containing PHI MUST be encrypted
    • A notation referring to the confidential or sensitive nature of the information should be made in the subject line to further safeguard the confidentiality of electronically submitted data
    • Use a banner at the top of each email message stating: “this is a CONFIDENTIAL medical communication.  If you have received this email in error please notify sender and destroy.”
    • PHI may be distributed to multiple recipients; however, the use of distribution lists is prohibited
    • Double-check all address fields prior to sending messages, including “to”, “cc”, and “bcc”
    • PHI is to be distributed only to those with a legitimate “need to know”
    • Distribution of PHI other than for treatment purposes is restricted to the minimum amount that is reasonably necessary for the purpose intended.
    • Distribution of PHI outside of LHCC constitutes a disclosure of PHI and shall be tracked accordingly.

    Direct Address Email: Direct functions like regular e-mail with additional security measure to ensure that messages are only accessible to the intended recipient, per the protection regulations of the Health Insurance Portability and Accountability Act (HIPAA). A direct message looks very similar to an e-mail address, an example would be b.wells@direct.aclinic.org. LHCC has direct email addresses through SureScripts in the HealthFusion software.

    Revised 2/2016

  • MM slash DD slash YYYY