Does Sending Email Using BCC Make It HIPAA Compliant?

July 13th, 2021

People have asked us if sending an email to someone via BCC (Blind Carbon Copy) is HIPAA-compliant. Take for example, a doctor’s office sending a newsletter to its patients via BCC. When the patients receive a message sent via BCC, they cannot see who else received it. Some may think that because the recipients are hidden, then this email does not contain any individually identifiable information. They assume that this means that the messages do not contain any “electronic protected health information” (ePHI) that is subject to HIPAA regulations.

However, BCC is actually not good enough to protect ePHI.

email bcc hipaa

Does a doctor’s newsletter fall under HIPAA?

First of all, it’s worth taking a minute to understand if the newsletter even needs to be HIPAA-compliant. The answer depends on the content of the newsletter. Does the content imply confidential information about the recipients? That question needs to be answered on a case-by-case basis. Here are some things to consider:

  • Would knowledge that a specific person is associated with this doctor or practice be considered confidential and protected by HIPAA? For example, if the doctor is a specialist and is sending out a newsletter to his existing patients, that may imply that the recipients have certain medical conditions that should perhaps be kept confidential.
  • Does the information in the newsletter itself imply that the recipients have certain medical issues or fall into certain groups? Should such associations be protected by HIPAA?

Any covered entity should consider these factors when sending out any kind of email newsletter. In general, organizations should err on the side of caution and assume that anything they send out could be sensitive.

Here is a brief guide to determining if something is ePHI or not.

Why doesn’t use of BCC protect the identity of the recipients?

It is true that if you have an email in your INBOX that was sent to you and possibly others via BCC (Blind Carbon Copy), it is (usually) not possible for you to determine who else may have received the same message and thus their identities are (usually .. this is not the case in some scenarios) protected from you. BCC prevents the email recipient from knowing the identities of the other recipients.

However, HIPAA is not only interested in the fact that one recipient cannot identify the other recipients. HIPAA also requires that the message as it is transmitted across the Internet does not divulge protected health information to anyone who may be eavesdropping.

It is useful to consider the analogy with postal mail (snail mail). The letter in your INBOX is the message. It had an “envelope” that was “wrapped” around it while traveling from the sender to you. This envelope does not conceal (encrypt) the message contents, but it does include the actual “To” and “From” information, similar to a postal envelope. The “To” in this case is the list of actual addresses yet to be delivered to, including all or a subset of those on the BCC list.

Anyone monitoring the transmission of your newsletter across the Internet can see the message recipients (including the BCC addresses). If knowledge of these addresses in the context of the message content results in the message falling under HIPAA for patient information privacy, then the message may be violating HIPAA’s information transmission security requirements.

The BCC addresses, while not visible to the individual recipients, are visible to people eavesdropping on the message during transmission. Therefore, BCC is not secure enough to hide the recipient information in a way that is sufficient for HIPAA compliance.

Is BCC sometimes HIPAA-Compliant?

There is a case where BCC is good enough. This is when the transmission of your message over SMTP from your outbound email server to all of your recipients’ email servers is automatically sent using SMTP TLS encryption. This protects the email message content and all of the envelope addresses while in transmission from server to server. This is one way to meet HIPAA’s transmissions security requirements.

Assuming that your email provider supports TLS encryption of email messages that you send, it is possible to determine if individual recipients  also support TLS and thus if the pathway between you and them will be automatically secured (although there are limits to this). See How to Tell Who Supports TLS for Email Transmission and use this TLS checker tool.

Most people use email providers who support TLS encryption, but it’s impossible to guarantee. If you are sending email messages to a diverse group of people, it is likely that some use email services that do not support TLS. Thus the message sent to them may not be HIPAA compliant.

Are there any alternatives to using BCC?

Yes, here are some:

  • Use an email service that ensures that the recipients will only receive encrypted copies of the messages. One such service is SecureLine, which allows you to send secure email messages to anyone on the Internet, no matter what email address or provider they use. SecureLine encrypts the content of the messages and ensures that only the intended recipient(s) can access it. It also splits up any BCC list into a series of individual messages. Each message goes in a separate envelope to every recipient and uses the best choice of security for each.
  • Provide your recipients with addresses on an email provider that supports TLS (perhaps even the same provider that you use). If you know that everyone uses TLS (and SSL when checking email), then you can ensure that every email is HIPAA compliant.

For more information on the HIPAA requirements with regards to email, please see: What HIPAA Says about Email Security and How the HIPAA Omnibus Rule affects Email, Web, FAX, and Skype.