Does sending email using BCC make it HIPAA Compliant?

January 30th, 2014

HIPAA Email SecurityPeople have asked us if sending an email to someone via BCC (Blind Carbon Copy) is HIPAA-compliant.  For example, a doctor’s office sending a newsletter to its patients via BCC.  The presumption is that because when a message is sent via BCC, the recipient’s email address is not visible in the message that there is no way to identify the individual(s) to whom the message was sent and thus the messages do not contain any “personally identifiable health information” (ePHI) that is protected by HIPAA.

The short answer is “BCC is not good enough“.  For the long answer, read on.

Does a doctor’s newsletter fall under HIPAA?

This depends very much on the content of the newsletter.  Does the content imply information about the recipients that should be kept confidential?  That question needs to be answered on a case-by-case basis.  Here are some things to consider:

  • Would knowledge that a specific person is associated with this doctor or practice be considered confidential and protected by HIPAA?   For example, if the doctor is a specialist and is sending out a newsletter on some facet of how he can help his existing patients, that may imply that the recipients have certain medical conditions that should perhaps be kept confidential.
  • Does the information in the newsletter itself imply that the recipients have certain medical issues or fall into certain groups?  Should such associations be protected by HIPAA?

Any organization that falls under the HIPAA umbrella should consider these and related factors when sending out any kind of email newsletter.  In general, organizations should error om the side of caution and assume that anything they send out could be sensitive.

Here is a brief guide to determining if something is ePHI or not.

Why doesn’t use of BCC protect the identity of the recipients?

It is true that if you have an email in your INBOX that was sent to you and possibly others via BCC (Blind Carbon Copy), it is (usually) not possible for you to determine who else may have received the same message and thus their identities are (usually .. this is not the case in some scenarios) protected from you.  I.e., each recipient cannot know who the other recipients are — that is the definition of how BCC is supposed to work.

However, besides the fact that BCC does not always work that way, HIPAA is not only interested in the fact that one recipient cannot identify the other recipients.  HIPAA also requires that the message as it is transmitted across the Internet does not divulge protected health information (ePHI) to anyone who may be eavesdropping.

It is useful to consider the analogy with postal mail (snail mail).  The letter in your INBOX is the message.  It had an “envelope” that was “wrapped” around it while traveling from the sender to you.  This envelope does not conceal (encrypt) the message contents, but it does include the actual “To” and “From” information, similar to a postal envelope.  The “To” in this case is the list of actual addresses yet to be delivered to, including all or a subset of those on the BCC list.  Anyone who is able to monitor the transmission of your newsletter across the Internet, or who can view it stored on your outbound email server, can see exactly to whom the message will be delivered (including all or some of the BCC addresses).  If knowledge of these addresses in the context of the message content results in the message falling under HIPAA for patient information privacy (PIP), then the message may be violating HIPAA’s information transmission security requirements.

The short answer — the BCC addresses, while not visible to the individual recipients, are visible to people eavesdropping on the message during transmission and thus must be considered in determining if the message as a whole is ePHI.  Thus, BCC does not hide the recipient information in a way complete enough to be considered sufficient for HIPAA.

Is BCC sometimes good enough?

There is a case where BCC is good enough.  This is when the transmission of your message over SMTP from your outbound email server to all of your recipients’ email servers is automatically sent using SMTP TLS encryption.  This protects the email message content and all of the envelope addresses while being transmitted from server to server.  This is one way to meet HIPAA’s transmissions security requirements

Assuming that your email provider supports TLS encryption of email messages that you send, it is possible to determine if individual recipients of yours also support TLS and thus if the pathway between you and them will be automatically secured (although there are limits to this).  See How to Tell Who Supports TLS for Email Transmission and this TLS checker tool.

However, many people do not use email providers who support TLS encryption. And, if you are sending an email messages to a group of people who have provided their own email addresses, it is likely that some of them are using email services that do not support TLS and thus the message sent to them may not be HIPAA compliant.

Are there any alternatives?

Yes, here are some:

  • Use an email service that ensures that the recipients will only receive encrypted copies of the messages.  One such service is SecureLine, which allows you to send secure email messages to anyone on the Internet, no matter what email address or provider they use.  SecureLine encrypts the content of the messages and ensures that only the intended recipient(s) can access it.  It also splits up any BCC list into a series of individual messages, so that each message goes in a separate envelope to every recipient and uses the best choice of security for each.
  • Provide your recipients with addresses on an email provider that supports TLS (perhaps even the same provider that you use).  If you can be sure that you and the recipients all use TLS (and SSL when checking your email), then you can be sure that all email communications between yourselves will automatically be HIPAA compliant, in terms of transmission security.

For more information on the HIPAA requirements with regards to email, please see: What HIPAA Says about Email Security and How the HIPAA Omnibus Rule affects Email, Web, FAX, and Skype.