Does Sending Email Using BCC Make It HIPAA Compliant?

July 13th, 2021

One common misconception is that sending emails to a list of recipients using BCC (Blind Carbon Copy) makes it HIPAA-compliant. For example, a doctor’s office sends a newsletter to its patients using BCC to hide the other recipients. Patients who receive a message sent via BCC cannot see who else received it. Some may think this email does not contain any identifiable information because the individual recipients are hidden. They assume the messages do not contain any “electronic protected health information” (ePHI) subject to HIPAA regulations.

However, BCC is not good enough to protect ePHI.

email bcc hipaa

Does a doctor’s newsletter fall under HIPAA?

First, it’s worth taking a minute to understand if the newsletter even needs to be HIPAA-compliant. The answer depends on the content of the newsletter. Does it imply confidential information about the recipients? That question needs to be answered on a case-by-case basis. Here are some things to consider:

  • Would knowledge that a specific person is associated with this doctor or practice be considered confidential and protected by HIPAA? For example, suppose the doctor is a specialist and sends out a newsletter to his existing patients. In that case, sending an email may imply that the recipients have certain medical conditions that should be kept confidential.
  • Does the information in the newsletter itself imply that the recipients have specific medical issues or fall into certain groups? Should HIPAA protect such associations?

Any covered entity should consider these factors when sending out any email newsletter. In general, organizations should err on the side of caution and assume that anything they send out could be sensitive.

Here is a brief guide to determining if something is ePHI or not.

Why doesn’t the use of BCC protect the identity of the recipients?

It is true that if an email was sent to you and possibly others via BCC, it is (usually) not possible for you to determine who else may have received the same message. Thus their identities are usually (but not always) protected from you. BCC prevents the email recipient from knowing the identities of the other recipients.

However, HIPAA is not only interested in the fact that one recipient cannot identify the other recipients. HIPAA also requires that the message as it is transmitted across the internet does not divulge protected health information to anyone who may be eavesdropping.

It is helpful to compare email to postal mail. The letter in the inbox is the email message contents. It had an “envelope” that was “wrapped” around it while traveling from the sender to the recipient. This envelope conceals the message contents, but the actual “To” and “From” information is separate from the contents, like a postal envelope. The “To” is the list of addresses to be delivered, including all or a subset of those on the BCC list.

Anyone monitoring the transmission of the newsletter across the internet can see the message recipients (including the BCC addresses). Suppose knowledge of these addresses in the context of the message content results in the message falling under HIPAA for patient information privacy. In that case, the message may violate HIPAA’s information transmission security requirements.

While not visible to the individual recipients, the BCC addresses are visible to people eavesdropping on the message during transmission. Therefore, BCC is not secure enough to hide the recipients’ information in a way that is sufficient for HIPAA compliance.

Is BCC sometimes HIPAA-Compliant?

There is a case where BCC is good enough. If the transmission of the message from the outbound email server to all of the recipients’ email servers is automatically sent using SMTP TLS encryption. This protects the email message content and all envelope addresses while transmitting from server to server. This is one way to meet HIPAA’s transmissions security requirements.

Assuming that the email provider supports TLS encryption of outbound email messages, it is possible to determine if individual recipients also support TLS and thus if the pathway between them will be automatically secured (although there are limits to this). See How to Tell Who Supports TLS for Email Transmission and use this TLS checker tool.

Most people use email providers who support TLS encryption, but it’s impossible to guarantee. If email messages are sent to a diverse group of people, some possibly use email services that do not support TLS. Thus the message sent to them may not be HIPAA-compliant.

Are there any alternatives to using BCC?

Yes, here are some:

  • Use an email service that ensures the recipients will receive only encrypted copies of the messages. One such service is SecureLine, which allows you to send secure email messages to anyone on the internet, no matter their email address or provider. SecureLine encrypts the content of the messages and ensures that only the intended recipient(s) can access it. It also splits up any BCC list into a series of individual messages. Each message goes in a separate envelope to every recipient and uses the best security choice for each.
  • Provide your recipients with addresses on an email service that supports TLS (perhaps even the same provider you use). If you know that everyone uses TLS (and SSL when checking email), then you can ensure that every email is HIPAA-compliant.

For more information on the HIPAA requirements regarding email, please see: What HIPAA Says about Email Security and How the HIPAA Omnibus Rule affects Email, Web, FAX, and Skype.