Sending Protected Health Information (PHI) by email exposes the PHI to two risks: The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list. The email could be captured electronically en route. HIPAA requires that we take reasonable steps to protect against these risks but acknowledges that a balance must be struck between the need to secure PHI and the need to ensure that clinicians can efficiently exchange important patient care information.