People have asked us if sending an email to someone via BCC (Blind Carbon Copy) is HIPAA-compliant. Take for example, a doctor’s office sending a newsletter to its patients via BCC. When the patients receive a message sent via BCC, they cannot see who else received it. Some may think that because the recipients are hidden, then this email does not contain any individually identifiable information. They assume that this means that the messages do not contain any “electronic protected health information” (ePHI) that is subject to HIPAA regulations.
However, BCC is actually not good enough to protect ePHI.
Read the rest of this post »