About Insights News People Careers Offices Subscribe Payment Search 

ALERT

 Alert

Jun 9, 2026

Blog Post | Is Disclosing a Patient’s Email Address a HIPAA Breach?

Can disclosing a patient’s email address to others in an email chain be considered a breach under HIPAA?  Yes, it may, depending on the particular facts involved.

If a medical practice or other covered entity has only inadvertently released certain patient email addresses in a general marketing newsletter online, this may not, by itself, qualify as a breach under HIPAA that needs to be reported. Each time a practice has a potential HIPAA breach, it should undertake the requisite risk analysis under the HIPAA guidelines to determine if a breach has occurred and what, if anything, needs to be reported.

However, if the email addresses disclosed also include other identifiable patient information and/or if the message also includes information on the healthcare services being sought, this may in fact trigger a breach where notification to the individuals and HHS are required. 

Depending on the particular facts of the disclosure, the email address is likely a personal identifier because it often includes the individual’s name or other identifying information about the individual. If the email content also includes information about a past, present, or future physical or mental health condition or health care to be provided, or if it includes the past, present or future payment of health care to be provided such person, then this is likely a breach that triggers the necessary notifications under HIPAA.

If the breach affects less than 500 individuals, the individuals must be notified and HHS must also be notified by the end of the calendar year. If the breach involves 500 or more residents of a state, in addition to notifying the individuals and HHS within 60 days of the breach, a covered entity may also have to report the breach to the media.

Because the risks associated with a HIPAA breach are significant, it is important to undergo the requisite risk analysis without delay to determine whether a breach has occurred. 

If you have any HIPAA or healthcare regulatory concerns, our lawyers are here to help.  
 
Please contact Jonna D. Eimer, Esq. at Roetzel & Andress to learn more about how this could affect your practice.

Author
Jonna Daleiden Eimer