Is an Email Address Considered PHI?

by

An email address is considered PHI – or assumes the same protections as PHI – when a HIPAA covered entity stores the email address in a designated record set that contains health, treatment, or payment information, and the email address could be used to identify the subject of the health, treatment, or payment information.

It is important to know when is an email address considered PHI because email addresses can be used by HIPAA covered entities for different purposes. For example, a hospital may use an email address to notify a patient of a test result – in which case the email address is considered PHI – or it may use the same email address for a permitted fundraising communication – in which case the email address is not considered PHI.

If the two activities are conducted by separate workforce members, the separate workforce members must be assigned different access permissions. To assign both members of the workforce the same access permissions would be a violation of the HIPAA Security Rule’s Information Access Management standard (§164.308(a)(4)), which requires assigning access permissions to workforce members according to their roles.

When is an Email Address Considered PHI?

However, it is not always clear when an email address is considered PHI and, like many HIPAA-related questions, the answer to when is an email address considered PHI is “it depends”. In this case though, it not only depends on where the email address is stored that determines the answer, it also depends on if the email address can be used to identify the subject of health, treatment, or payment information stored with it.

Consequently, to answer the question when is an email address considered PHI, it is necessary to understand what is considered PHI under HIPAA and what a designated record set is  – notwithstanding that, if an email address is stored in a designated record set, but it could not be used to identify the subject of other PHI stored in the designated record set, it would not be considered PHI under any circumstances.

What is Considered PHI under HIPAA?

PHI under HIPAA is individually identifiable health information “that relates to the […] physical or mental health or condition of an individual; the provision of health care to an individual; or […] payment for the provision of health care to an individual”. Because it is “individually identifiable”, there must be an identifier stored with the health, treatment, or payment information for the health, treatment, or payment information to be considered PHI.

An email address can be considered an identifier if it can be used to identify the subject of the health, treatment, or payment information. However, if the email address is (for example) for a CMS regional office, it would be impossible to identify the subject of the health, treatment, or payment information by itself or when combined with other PHI. Nonetheless, if it is stored in the same designated record set as PHI, it assumes the same protected status.

What is a Designated Record Set?

PHI is automatically stored in a designated record set – a set of records maintained by a HIPAA covered entity that contains an individual’s medical, billing, enrollment, payment, and/or medical management records depending on whether the HIPAA covered entity is a healthcare provider or health plan. Healthcare providers will usually maintain multiple designated record sets per individual to better manage access permissions between departments.

Healthcare providers’ designated record sets can consist of thousands of medical and billing records or just a single medical or billing record. Any non-medical/billing information stored in the same designated record set that could identify – or be used with other information to identify – the subject of the designated record set is also classified as PHI. As mentioned previously, any non-identifying information stored in the designated record set assumes protected status.

Returning to Fundraising Communications … …

When an individual’s email address – or an email address of a friend or family member – is maintained in a designated record set, the email address is considered PHI. However, there are occasions when a HIPAA covered entity may maintain a database of email addresses for permitted fundraising purposes or other activities. As the database does not contain health, treatment, or payment information, the email addresses are not considered PHI.

Workforce members responsible for fundraising activities do not need to know an individual’s health, treatment, or payment information, so should be assigned different access permissions to workforce members who do need to know the individual’s health, treatment, or payment information. If all members of the workforce are assigned the same access permissions, those responsible for fundraising would have impermissible access to PHI.

HIPAA covered entities who are unsure when is an email address considered PHI are advised to speak with an independent HIPAA compliance specialist and ensure the distinction is integrated into HIPAA training. Workforce members who require further information about what is considered PHI, designated record sets, and access permissions are advised to speak with their HIPAA Privacy Officer or subscribe to a HIPAA awareness course.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]