Email mistakes

How To Blow Your HIPAA Compliance In 1 Email

Email Mistakes

It has happened again, and it won't be the last time. The City of Boston just received their egg-in-the-face award for sending an email to all their recently-tested-positive Covid patients instructing them on the City's policies regarding quarantine and testing going forward. No harm, no foul, except they included all of the recipients in the TO line. So 100 city employees learned of the Covid status and vaccination status of their co-workers. Oops.

Sadly, we see this happen frequently. People simply forget to put email addresses in the BCC (blind copy) address bar. Here are two quick ways to fix this issue.

First - train your staff. It should be reflexive whenever sending an email to a group, or more than a couple of recipients. Proper training can help make this happen.

Second - set your email client to ALWAYS display the BCC line. Seeing it prominently presented, rather than having to click it to display, will reduce these types of errors.

Finally, it's become common place for employers to discuss Covid and vaccination status with their employees, but this is not, nor should it become, the norm. Asking employees about their health status has always been a sensitive area and organizations should not relax those standards just to accommodate convenience.

As things return to some semblance of "normal" (I'm in California so normal is relative), we encourage you to be cautious in adhering to recently established patterns with your employees.

If you're paranoid that people are watching you, it's because they probably are. Good cyber-hygiene is a daily ritual - adopt it today if you haven't already. Check to ensure your anti-virus is running every time you sit at your computer. Check to ensure your updates have been run at least once a day. Make it a habit.

Thank you for reading.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top