An email address is one of the 18 identifiers that HIPAA classifies as protected health information (PHI), but only when it’s connected to health-related data held by a covered entity like a hospital, health plan, or healthcare clearinghouse. An email address sitting in a general marketing database or an employee directory is not automatically PHI. The context surrounding it determines whether HIPAA protections apply.
What Makes an Email Address PHI
HIPAA defines protected health information as individually identifiable information that relates to a person’s past, present, or future physical or mental health, the provision of healthcare, or payment for healthcare. For an email address to qualify as PHI, two conditions must be true at the same time: the email must be able to identify a specific person, and it must be linked to some form of health information within a covered entity’s records.
If a patient uses their email to schedule an appointment through a hospital portal, that email address is PHI. If someone provides their email when filling out intake forms at a clinic, it’s PHI. The email doesn’t need to contain health details itself. Its presence alongside health data is enough.
A gym collecting email addresses for membership signups, on the other hand, is not dealing with PHI. Neither is a retail company emailing you a receipt. Those organizations aren’t covered entities, and the email isn’t tied to health records.
The 18 HIPAA Identifiers
HIPAA’s Privacy Rule lists 18 specific types of information that count as identifiers. Email addresses appear explicitly on this list alongside names, phone numbers, Social Security numbers, medical record numbers, IP addresses, and biometric data like fingerprints. When any of these identifiers exist within a covered entity’s records and connect to health information, they become PHI and are subject to HIPAA’s privacy and security requirements.
This list also matters for de-identification. If a healthcare organization wants to share health data for research or analytics without triggering HIPAA restrictions, the “Safe Harbor” method requires stripping all 18 identifiers, including email addresses. The organization must also have no actual knowledge that the remaining information could identify someone.
When an Email Address Is Not PHI
Several common scenarios fall outside HIPAA’s reach. Employment records are one of the clearest exceptions. If a hospital maintains email addresses in its HR system for employee communications, those aren’t PHI, even though the employer is a covered entity. HIPAA specifically excludes employment records from the definition of protected health information.
Student health records at universities present another exception. Records protected under FERPA (the Family Educational Rights and Privacy Act) are explicitly excluded from HIPAA coverage. Even if a university operates a student health clinic, health records that qualify as “education records” under FERPA fall under that law instead. A student’s email address in those records wouldn’t be treated as PHI under HIPAA.
Any email address held by an organization that isn’t a covered entity or business associate is also outside HIPAA’s scope entirely. A tech company, a restaurant, or a nonprofit collecting email addresses for newsletters has no HIPAA obligations, regardless of what else they know about you.
Website Tracking and Email Collection
HHS has issued guidance specifically addressing online tracking technologies used by healthcare organizations. When a covered entity’s website uses tracking pixels or analytics tools that capture a visitor’s email address, that data can qualify as PHI. The guidance lists email addresses alongside IP addresses, medical record numbers, and appointment dates as examples of identifiable information that tracking technologies may collect.
This is a real compliance issue for hospitals and health plans with public-facing websites. If a patient logs into a portal or enters their email on a page related to a health condition, and a third-party tracker captures that information, the covered entity may have made an unauthorized disclosure of PHI. The fact that the tracking happened automatically, without anyone intending to share health data, doesn’t create an exception.
Sending PHI by Email
HIPAA doesn’t ban email as a communication method, but it does require safeguards. The Security Rule mandates that covered entities implement access controls, integrity protections, and transmission security when sending electronic PHI. In practice, this means organizations need to assess the risks of sending email over open networks and use appropriate protections like encryption.
The rule treats encryption as an “addressable” specification rather than a strict mandate. That doesn’t mean it’s optional. It means the organization must evaluate whether encryption is reasonable and appropriate, and if it decides not to encrypt, it needs to document why and implement an equivalent safeguard. For most organizations sending email containing PHI, encryption is the expected standard.
Marketing Rules for Email Addresses
If a healthcare provider wants to use your email address for marketing, HIPAA requires your written authorization first. Marketing under HIPAA means any communication encouraging you to buy or use a product or service. A hospital emailing you about a new cosmetic procedure, or a health plan promoting a wellness product, needs your explicit permission.
The rules tighten further when money changes hands. If a third party pays a covered entity to send marketing emails to patients, the authorization form must disclose that financial arrangement. There are only two narrow exceptions where marketing can happen without authorization: face-to-face conversations and promotional gifts of nominal value. Email campaigns don’t qualify for either exception.
Communications about your own treatment, like appointment reminders or prescription refill notices, are not considered marketing. A provider can email you about your care without a separate marketing authorization, though the usual PHI security requirements still apply.