Verify email addresses before sending PHI via email to an unverified email address. It’s probably against HIPAA. You sent me someone’s PHI in an email because the person used my email address instead of their own. I did not sign up for that and I do not want it. Since you don’t know how to handle personal health information, I will be avoiding your site and recommend others do the same.
When creating accounts, the email address used should be validated before it can be used to send communications to members.
We're sorry to hear that you have received someone else's email. Not cool. The only "good news" in all of this is that the data you received is not considered PHI under HIPAA since it was not collected by or used by a covered entity and is not used to diagnose or treat a patient. Similarly, BP, steps, etc tracked on a wearable device are not considered PHI as long as they are not integrated with a HIPAA covered entity.
That said, we do 100% agree with you that we need to be verifying emails. It's not just a good idea, but it's a best practice. That change in on our road map.
Thanks for your submission.