Requirements for sending an email to multiple patients
Due to a recent incident that resulted in the accidental disclosure of the email addresses of more than 1,000 patients, we are providing the below guidance as a reminder to staff on the proper considerations that must be taken into account prior to sending an email to multiple patients.
Even where the content of an email does not contain protected health information (PHI), such as an informational flyer or promotion of an upcoming educational session, patient email addresses are considered PHI and should not be disclosed to other email recipients. Depending on the incident, this could result in a HIPAA breach requiring government and media notice as well as potential exposure to fines.
When sending an email to multiple patients, all of the following are required:
- Send from your @med.umich.edu email address only. Do not use a personal email account or an @umich.edu email address when sending communications to patients. By policy, PHI must only be communicated from the Outlook Exchange environment (your @med.umich.edu account).
- Only use blind carbon copy (BCC). Putting patients’ email addresses in the “To” and/or the “Cc” field of an email exposes the email addresses to all recipients of the email. When an individual email cannot be sent to each individual recipient, the blind carbon copy function must be used.
- Ensure no PHI is in the communication. This would include, for example, addressing the recipient as a patient or implying a diagnosis or treatment of the recipient in the message. If the email message contains PHI in the body of the email or in an attachment, it should NOT be sent to multiple recipients (see guidance below). Where appropriate, an email message that must contain PHI is required to be encrypted and should only be sent to the intended recipient. An email can be encrypted by including [SECURE] anywhere in the subject line of the message. For example, to avoid PHI in the communication, an announcement of an educational event should contain a general invitation rather than be addressed specifically to patients, and it should not imply that all of the recipients have a particular diagnosis or require treatment that is the subject of the educational event.
If you have questions or need assistance with these communications involving multiple recipients, including patients, work with your departmental leadership and the Department of Communication or the Michigan Medicine Compliance Office Privacy Team. Please include this information in your onboarding process.
- Communicating PHI (http://www.med.umich.edu/u/compliance/hipaa/communicating.html)
- Clinicians Communicating with Patients – Recommendations and Guidance (http://www.med.umich.edu/u/compliance/hipaa/clinicians-communicating-with-patients.pdf)
Following these rules, at its core, is also about retaining trust. Thank you for your help.