An email address is one of the 18 identifiers that can make health information Protected Health Information (PHI) under HIPAA. But an email address alone, sitting in a spreadsheet with no connection to healthcare data, is not PHI. The distinction matters: it’s the combination of an identifier like an email address with health-related information that triggers HIPAA’s protections.
What Makes an Email Address PHI
HIPAA’s Privacy Rule defines PHI as individually identifiable health information that is created or received by a covered entity (a healthcare provider, health plan, or healthcare clearinghouse) in connection with treatment, payment, or healthcare operations. The rule lists 18 specific identifiers, and “electronic mail addresses” is number six on that list. When an email address is linked to any health information, such as a diagnosis, prescription, appointment record, or insurance claim, it becomes PHI and must be protected accordingly.
The key phrase is “linked to health information.” A hospital’s marketing list of patient email addresses is PHI because those addresses were collected through a healthcare relationship and can be tied back to individuals who received care. A gym’s email list of members is not PHI, even if some members happen to have health conditions, because a gym is not a HIPAA-covered entity and the emails weren’t collected in a healthcare context.
When an Email Address Is Not PHI
An email address by itself, with no connection to health data or a healthcare event, falls outside HIPAA’s reach. UC Berkeley’s Human Research Protection Program explains this distinction clearly: health-related information that includes personal identifiers like an email address is not considered PHI if the data “are not associated with or derived from a healthcare service event (treatment, payment, operations, medical records).”
Some practical examples where an email address would not be PHI:
- General mailing lists. A wellness newsletter signup form on a public website collects email addresses from anyone, not just patients. Those addresses aren’t tied to any individual’s health records.
- Research-only data. If a researcher collects email addresses for a study and the data never enters a medical record or healthcare system, HIPAA does not apply to that information (though other privacy regulations still might).
- Non-covered entities. Fitness apps, nutrition coaches, and employers collecting email addresses are generally not covered entities under HIPAA, so the email addresses they hold are not PHI regardless of context.
The Safe Harbor Standard for De-Identification
HIPAA provides a method called Safe Harbor that lets organizations strip data of identifying information so it no longer qualifies as PHI. To meet this standard, all 18 identifiers must be removed, and email addresses are explicitly on that list. The organization must also have no actual knowledge that the remaining information could be used, alone or combined with other data, to identify a specific person.
This means you cannot simply delete names from a dataset and consider it de-identified if email addresses remain. Every identifier, including email, must go. Organizations that want to use health data for analytics, research sharing, or reporting without HIPAA restrictions need to strip all 18 categories or use a qualified statistical expert to certify the data carries a very low re-identification risk.
How Email Addresses Must Be Protected
When email addresses do qualify as PHI, HIPAA requires specific safeguards. A proposed 2025 update to the HIPAA Security Rule would strengthen these requirements significantly, including mandatory encryption of all electronic PHI both at rest and in transit, multi-factor authentication for systems that store or access ePHI, and detailed technology asset inventories.
For organizations that send emails containing PHI, or that store patient email addresses in their systems, several practical requirements apply. Email platforms must encrypt content so intercepted messages are unreadable. Access controls and audit logs need to be in place to track who views or sends PHI. Staff must be trained on proper use of the platform, including never putting PHI in email subject lines (since metadata often isn’t encrypted) and using BCC rather than CC for group messages to prevent exposing one patient’s email address to another.
Business Associate Agreements for Email Providers
If your organization uses an email service provider that will handle, store, or have access to patient email addresses linked to health data, you typically need a Business Associate Agreement (BAA) in place. HHS defines a business associate as any person or entity that “performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Your email platform almost certainly fits that definition if PHI passes through it.
There is one notable exception. Services that act purely as a conduit for information, similar to the postal service or a private courier, do not require a BAA. HHS specifically names “the US Postal Service, certain private couriers, and their electronic equivalents” as examples. However, most modern email platforms do more than just relay messages. They store, index, and process email content, which pushes them beyond the conduit exception and into business associate territory.
Real Consequences of Mishandling Email PHI
Violations involving email addresses and electronic PHI carry real financial penalties. In one notable case, Lifespan Health System in Rhode Island paid $1,040,000 to the HHS Office for Civil Rights after an employee’s unencrypted laptop was stolen from a car. The laptop contained cached emails with patient names, medical record numbers, partial addresses, and medication information. The core issue was not that the laptop was stolen, but that the data on it was unencrypted and the organization lacked adequate device-level protections.
This case illustrates a broader pattern in HIPAA enforcement. The penalties tend to be heaviest not for a single accidental disclosure, but for systemic failures: unencrypted devices, missing policies, and lack of workforce training. If your organization stores patient email addresses on laptops, mobile devices, or cloud platforms without encryption and access controls, a single theft or breach can trigger a six- or seven-figure settlement plus a mandatory corrective action plan.
The Bottom Line on Email and PHI
An email address becomes PHI the moment it is connected to health information within a covered entity’s systems. Standing alone, with no link to healthcare data, it is just an email address. The practical takeaway: if you work in healthcare or handle data on behalf of a healthcare organization, treat every patient email address as PHI unless you can confirm it has been fully separated from all health-related information. That separation needs to meet HIPAA’s Safe Harbor standard, not just your own judgment about what feels anonymous enough.