Security in Emailing Results
Overview
When emailing evaluation results that may contain Protected Health Information (PHI), you must take steps to protect patient data and maintain HIPAA compliance. This page outlines the key security practices to follow.
Encryption
Use end-to-end encryption to protect PHI during transmission. HIPAA-compliant email services such as Hushmail for Healthcare or Virtru provide the necessary encryption layer. For attachments, apply AES-256 encryption and never send encryption passwords through the same email channel.
Secure File Transfer
Rather than attaching results directly to email, consider using a HIPAA-compliant secure file transfer service such as ShareFile or Box for Healthcare. Set expiration dates on download links to limit exposure after the recipient has retrieved the file.
Recipient Verification
Always double-check email addresses before sending. For sensitive clinical information, verify the recipient's identity through a secondary method (such as a phone call) before transmitting results.
Email Content
Minimize the amount of sensitive information in the email body. Include only a HIPAA-compliant confidentiality notice and generic language — keep actual results behind a secure link or encrypted attachment.
Technical Controls
- Enable two-factor authentication on your email account
- Use an email client configured with SSL/TLS encryption
- Maintain audit trails of PHI transmissions
Organizational Requirements
- Implement access controls limiting who can view PHI
- Ensure third-party vendors have signed Business Associate Agreements (BAAs)
- Apply the minimum necessary principle — share only the PHI required for the specific purpose
- Have breach response procedures in place before transmitting PHI