Sharing educational documents with multiple patients

January 13, 2021  //  FOUND IN: Updates & Resources

RECENT MICHIGAN MEDICINE HIPAA BREACH: A HIPAA breach recently occurred that exposed multiple patients’ email addresses to other patients while sharing educational documents. Protecting patient privacy is crucial and failing to take the proper precautions can expose patients’ Protected Health Information (PHI), resulting in potential fines and mistrust of our patients.

Below are important requirements when sharing educational materials with patients.

Reminders when sharing education documents via email with one or more patients:

  • Patient names and email addresses are PHI. Exposing patient names and email addresses to other recipients is a HIPAA violation.
  • To share educational materials with a group of patients, always use the BCC field for all recipient email addresses. Otherwise, email addresses in the To and CC fields are viewable to all the recipients. 
  • Only use Outlook email ( 
  • Send your email securely by typing SECURE in brackets, “[SECURE]”, anywhere in the Subject line to encrypt the email. 
  • Never put PHI in the subject line of an email.

Using cloud-based collaboration services:

  • Only use approved cloud-based collaboration services such as Dropbox at U-M or Box at U-M.
  • Ask for help. When using these services, it is your responsibility to ensure that settings are configured to hide all recipient names and email addresses. If you are unsure how to do this or need other assistance, contact the HITS Service Desk for help.

Other tips

  • If applicable, consider using the Patient Portal when communicating with patients.
  • If you have any questions about Patient Portal use, contact Health Information Management ( or at 734-615-0872).
  • No PHI pertaining to one or more individuals can be included in an educational document shared with multiple patients.  Educational documents must be generic in nature and not specific to a particular patient(s). 

Additional information: