One common misconception is that sending emails to a list of recipients using BCC (Blind Carbon Copy) makes it HIPAA-compliant. For example, a doctor’s office sends a newsletter to its patients using BCC to hide the other recipients. Patients who receive a message sent via BCC cannot see who else received it. Some may think this email does not contain any identifiable information because the individual recipients are hidden. They assume the messages do not contain any “electronic protected health information” (ePHI) subject to HIPAA regulations.
However, BCC is not good enough to protect ePHI.
Read the rest of this post »