What is an Email Confidentiality Notice and Should I Have One?

Modified on Tue, 5 Mar at 11:19 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Frequently, HIPAA covered entities and business associates, when emailing information, add a "Confidentiality Notice" to the bottom of the email.

The Confidentiality Notice reads something like this:

“Confidentiality Notice:
This email transmission, and any documents, files or previous email messages attached to it,
may contain confidential information. If you are not the intended recipient, or a person
responsible for delivering it to the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of any of the information contained in or attached to
this message is STRICTLY PROHIBITED. If you have received this transmission in error, please
immediately notify us by replying to the email or by telephone at (XXX) XXX-XXXX and destroy
the original transmission and its attachments without reading or saving them to disk.” 

Are such Confidentiality Notices Required by HIPAA?

Email as a communication channel is inherently insecure. Why? Because data sent through email isn’t encrypted by default, especially when one uses a popular email client like Outlook or Gmail. This means there is no "100% guaranteed," foolproof way of determining if a receiver of the message is actually the intended recipient.

Because of these inherent limitations of email, including a warning or disclaimer to the effect that non-intended recipients may not disclose, distribute, or copy an email message (and that non-intended recipients notify the sender and destroy the transmission) serves as an administrative safeguard to protect the confidentiality of PHI. Per 45 CFR 164.530c, “A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.”

A warning or disclaimer is a reasonable safeguard that protects PHI from intentional or unintentional use in violation of the Privacy Rule. Although a “Confidentiality Notice" is not literally required by law, having one can help to satisfy the 45 CFR 164.530c requirement.No one particular safeguard, whether that safeguard is keeping files off the ground, locking cabinets, or keeping network server closets locked when not in use, can satisfy the entirety of the requirement to have safeguards. If an entity chose to not adopt ANY safeguard measures, though, on the ground that no one of these measures was specifically named in the HIPAA regulations, the entity would likely not be meeting its duty to “Reasonably safeguard protected health information from any intentional or unintentional disclosure that is in violation of the Privacy Rule."

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article