An email address is one of the 18 identifiers that can make health information protected under HIPAA, but it does not automatically qualify as protected health information (PHI) on its own. The distinction matters: an email address becomes PHI only when it is connected to health-related information and held by a HIPAA-covered entity or its business associate.
What Makes Something PHI
PHI has a specific legal definition under HIPAA. Health information qualifies as “individually identifiable health information” when it meets three criteria simultaneously. It must relate to a person’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care. It must identify the individual or provide a reasonable basis for identifying them. And it must be created or held by a covered entity (like a hospital, health plan, or provider) or a business associate of one.
An email address sitting in a generic marketing database at a retail company is not PHI. That same email address in a healthcare provider’s appointment system, linked to the reason someone is seeking care, is PHI. Context is everything.
Email Addresses and the 18 HIPAA Identifiers
HIPAA’s Privacy Rule lists 18 types of identifiers that, when attached to health information, create PHI. Email addresses are explicitly listed as identifier number six. The other identifiers include things like names, phone numbers, Social Security numbers, dates of birth, and IP addresses.
These 18 identifiers also play a role in de-identification. If a covered entity wants to strip a dataset of PHI so it can be shared freely, the Safe Harbor method requires removing all 18 identifiers, including email addresses. On top of that, the entity must have no actual knowledge that the remaining information could be used to re-identify someone.
When an Email Address Clearly Becomes PHI
The most straightforward scenario: a patient provides their email address through a healthcare provider’s portal, registration page, or appointment scheduling tool. The Department of Health and Human Services has stated that when someone enters their email address on a provider’s registration page or patient portal login, that information meets the definition of individually identifiable health information. It is PHI, and HIPAA rules apply to how it is stored, shared, and protected.
This extends to less obvious situations too. HHS guidance on online tracking technologies makes clear that if a website tracking tool (like a pixel or cookie) on a provider’s appointment page collects a visitor’s email address alongside their reason for seeking care, that collection counts as a disclosure of PHI to the tracking vendor. The provider would need a business associate agreement with the vendor, or the disclosure violates HIPAA.
Consider a practical example: a hospital website has a symptom checker tool. A visitor types in their email and selects symptoms from a dropdown menu. The combination of that email address and the health-related input is PHI. If a third-party analytics tool captures that data, the hospital has disclosed PHI to that third party.
When an Email Address Is Not PHI
If you collect email addresses in a context that has nothing to do with health care, those addresses are not PHI regardless of what they look like. A wellness newsletter signup on a non-healthcare company’s website, a fitness app that isn’t connected to a covered entity, or a general contact form on a business website all collect email addresses without creating PHI.
Even within a healthcare organization, an email address in a staff directory or a vendor contact list would not be PHI because it is not linked to anyone’s health information, treatment, or payment for care. The identifier alone is not enough. It needs to be tethered to health data and held within the HIPAA-regulated ecosystem.
What This Means for Email Service Providers
If a healthcare organization uses an email platform to communicate with patients, that platform handles PHI. The email service provider becomes a business associate under HIPAA and must sign a business associate agreement (BAA). This is why healthcare organizations need email hosting providers that offer HIPAA-compliant services and are willing to execute a BAA. Major platforms like Microsoft 365 will sign BAAs for this purpose.
Without a BAA in place, sending a patient’s email address (along with any health context) through a standard email service is a HIPAA violation, even if no medical records are attached. The email address itself, combined with the fact that the person is a patient of that provider, is enough to constitute PHI.
Marketing Rules Add Another Layer
Using a patient’s email address for marketing introduces additional HIPAA requirements. The Privacy Rule requires written authorization from the individual before their PHI can be used for marketing communications. Marketing, in HIPAA terms, means any communication encouraging someone to purchase or use a product or service.
There are narrow exceptions. No authorization is needed if the communication describes a health-related service provided by the covered entity itself, if it is made for treatment purposes, or if it involves care coordination or recommending alternative treatments. Face-to-face communications and promotional gifts of nominal value are also exempt. But sending a marketing email to a patient’s address about a third-party product, without their written authorization, violates the Privacy Rule.
The Bottom Line on Classification
An email address is not inherently PHI. It becomes PHI when two conditions are met: it is linked to health information (even something as minimal as the fact that someone is a patient), and it is held or transmitted by a HIPAA-covered entity or business associate. In practice, nearly any email address in a healthcare provider’s patient-facing systems qualifies. If you work for or with a covered entity and you handle patient email addresses, treat them as PHI.