Simple, practical rule for sending emails


As we work remotely, staying in communication with co-workers, customers, patients, and clients, has made us increasingly reliant on email communications. Although a fairly mundane task, it’s easy to make a mistake that could expose you or your recipients to an unintentional disclosure.

Let’s take a common scenario. You need to communicate a change in your hours to your customer/patient database. You queue up an email, and drop the patient list into the recipient field. If you didn’t add that list to the “bcc” field (often not visible by default), then you’ve potentially exposed every person on that list to the names of everyone else on that list. In the HIPAA world, this is considered a breach. Why, you say? Here’s a simple test for HIPAA – if a person can connect an individual (patient) with your organization, then you’ve exposed Protected Health Information and that’s a breach. I use a test I call the celebrity test. If one of your patient’s email addresses is, and you run a drug rehabilitation facility, it’s reasonable for another recipient to conclude Justin Bieber is, or has been, a patient at your facility. Do you think that would be considered a breach of his privacy? It’s also a HIPAA violation.

If the scenario above happens to you, you should take the following actions. If you’re not a HIPAA covered entity, then you may be able to do damage control by sending an apology email. If you are bound by HIPAA, then your first step should be to contact your lawyer. We would then recommend you send an apology letter to your patients and create a document recording the steps you took. Finally, you’ll need to file the event with OCR before year-end, as required. Obviously, avoiding such a mistake is critical, and it’s easy to do.

When sending email communications to more than one person, or replying to a group, it’s always best to look at everyone in the list of recipients prior to hitting send. Always use the BCC field when sending to a group you want to remain confidential. Be absolutely certain your staff understands this, and to make their life easier, check their email client to ensure the BCC field is configured to be viewed by them.

Once again, we’re here to help. If this has happened to you, we can walk you through filing with OCR.

On a Covid note, we all know how devastating this virus is to your lungs. Strengthening your lungs could mean the difference between hospitalization (or worse), or being sent home with therapeutics. I recently read an excellent and enlightening book written by James Nestor titled “Breath – The New Science of a Lost Art”. I highly recommend it as an addition to your immunity fortification regime.

Stay safe and healthy. Thank you for reading.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.