Consultants to the Healthcare Industry
Call Us: (909) 931-7600

HIPAA Compliant Email: some proactive strategies

Jim Hook, MPH

HIPAA Compiant EmailPart two of a two part series on HIPAA and Email

In Part I of this post, we reviewed some of the statements that the Office of Civil Rights (OCR), the Privacy Rule enforcers, include in their on-line FAQs relevant to HIPAA and email rules.  And now that we’ve got a better understanding of those rules,  let’s explore how medical practices and other providers can ensure they’re using HIPAA compliant email.  After all, knowing the rules is one thing … but putting them into practice is what’s going to keep you and your healthcare organization out of trouble.


5 strategies for achieving HIPAA compliant email

Like so many other things with HIPAA compliance, there’s not one, singular answer that addresses the question of what constitutes HIPAA compliant email.  However, the options addressed below represent a collection of first-line strategies that go a long way toward addressing HIPAA email regulations.

  1. Be the expert on the topic of HIPAA compliant email on behalf of your patients.   This means making sure you have appropriate notices visible, both on-line and in the real world, warning patients about the potential security risks of transmitting protected health information (PHI) using email over the non-secure portion of the Internet.  For instance, many practices include a page for submitting questions to the office via email.  Consider posting a statement that warns about security prominently on that page, such as:
  • “Please keep in mind that communications via email over the internet are not secure.  Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.
  • Please do not include personal identifying information such as your birth date, or personal medical information in any emails you send to us.  No one can diagnose your condition from email or other written communications, and communication via our website cannot replace the relationship you have with a physician or another healthcare practitioner.” 
  1. Document the patient’s consent to receive communication by email.  Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails.  Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas.  If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.
  1. Use an EHR system with a patient portal function.  If you’re using an EHR system with a patient portal function, encourage patients to use the portal’s capabilities for secure communications.  Most portals utilize secure channels for the information available via the portal, but make sure the vendor certifies that to you – and then test it yourself prior to encouraging patients to use it.
  1. Consider signing up for a secure, HIPAA compliant email application.  If you must use email to communicate with patients,  a secure email application will protect your communications by using secure channels to send those emails.
  1. Manually encrypt transmitted files.  If you don’t have a patient portal and don’t want to use a secure, HIPAA compliant email application, avoid including PHI in the text of email, and encrypt any files containing PHI that you are sending to patients.


Use HIPAA compliant email practices … sleep well at night

It is not far-fetched to think that one of these days, the OCR, while investigating a complaint from a patient about a privacy violation, determines that a provider was disclosing PHI when HIPAA Compliant Email for Secure Patient Communicationcommunicating via email with a patient.  And that every such email constituted an unauthorized disclosure – a breach.  And that every such email to any patient was a breach.  It might not take long to get to a breach involving more than 500 patients, with all the attendant notices to the media and reports to the Secretary of HHS that would entail.

Don’t be the practice or provider that finds itself in that unenviable position, simply because you didn’t pay enough attention to establishing HIPAA compliant email with your patients!

Email will be around for a while, in healthcare and so many other areas of our lives.  It’s a great tool, but like any tool, must be respected for its power – both for communications we want and for the potential to disclose information we want kept private.

Using email in healthcare requires more effort and safeguards than in other areas, but it certainly is possible to mix the two.

24 Comments to “HIPAA Compliant Email: some proactive strategies”

  1. HI – I want to start communicating with patients about appointments on email. Is using an online email such as yahoo or gmail considered HIPPA safe if all the necessary precautions and disclosures as you stated above are met? If so, is yahoo or gmail considered more secure than the other?

    • Communicating with patients about appointments can mean many things. Sending a notice about an upcoming appointment (a one-way communication) can be easy to accomplish, and any online system can be used – but you must have the patient’s consent (in writing, if at all possible!) to received such email notifications. If the patient does not consent, don’t use email notifications involving non-secure email systems. In any case, keep the the information to a minimum, e.g., just the date and time of the appointment, and name and location of the provider, when there are multiple office sites, etc.

      Two way communications are more problematic, with more potential for additional PHI to be discussed. Even with a signed consent, patients may decide after the fact that additional information that can come up in two-way communication, e.g., reason for the visit, signs and symptoms, etc., are more information than the patient wanted to disclose – especially if there is a breach of the email itself. You may be able to document the patient’s agreement to such disclosures, but the time and trouble of responding to an Office of Civil Rights inquiry or investigation can be burdensome enough.

      All email systems such as Yahoo or Gmail are equally insecure, and should not be considered “HIPAA Compliant”. Only systems that enrypt email to the proper level can be considered HIPAA Compliant. There are several options that are easy to find searching the web. They are not free, but they are cheaper than dealing with a breach!

    • Marie,

      Gmail and Yahoo are not HIPPA compliant. Even Microsoft exchange is not there yet. I recently saw a medical practice that had the office Yahoo account attacked. All the email was deleted. All the contacts were mailed a “Nigerian Money Letter” using the Dr.’s credentials and name.

      Mark H.
      Microsoft Certified Professional
      Novell Certified Administrator

  2. Does anyone have any experience with email applications/servers that offer these services, such as MDofficemail?

    I am a solo practitioner in a rural setting and do not use this much, but I do use it and need to make it secure.

    Thanks for any input.

  3. In reference to initating an email conversation with a patient (the patient provided an email address) is it ok to send a mass email out with a general message to prompt each individual to contact the office. As long as no personal patient information is included. The only information that may be taken away from the email is the actual email address (no patient name, or any other PHI attatched?

    • Kathy, whenever we see the phrase “mass email” in the context of a patient population, we get a little nervous. Has everyone who is on the list of addressees consented to receive email communications from your company? In general, we emphasize getting a documented “informed” consent to the use of email for communications from a healthcare provider.

      As you can see in the text of our blog on the subject:
      “Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails. Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas. If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.”

      While the PHI being disclosed in the type of email you describe is minimal – a person reading it could reasonably assume the person to whom it is addressed is receiving services at your clinic – you never know if this is a surprise to another person with access to the email account, e.g., a spouse who did not know about the services being rendered. And just because the only identifier is an email address, in some states, that is a protected piece of personal information. Asking patients to sign a consent gives them a chance to think about who sees these emails at their end, and protects you from accusations of unauthorized disclosure of PHI.

      To sum up, always have permission to use email to communicate with patients. It is a very important risk management strategy these days!

  4. Is the use of only a name in an unsecured/unencrypted email considered to be PHI if no specific discussion is taking place on medical/health issues? i.e. email discussion with coworkers at a health plan about premium payment or enrollment for a specific individual?

    • Andrew, an email conversation about such limited topics may not run afoul of HIPAA Privacy regulations, if it were intercepted or otherwise disclosed. Just watch out for “message creep”, where more info is disclosed that may run afoul of state laws, if not HIPAA.

  5. I’m VP of Operations of a Reputation Management Tool that helps businesses build online reviews. We’re considering moving into the health industry, and am curious if our process would be in violation of HIPPA. To execute our system, a physician’s office would create a survey in our system and then either add our “Survey Link” to their email marketing/email client or import a patient email list into our system to send the surveys to their patients. Their patients would have the option to complete the short survey, or not, and opt in/out to allow the practice to share the review as desired to social media and their company website. The patient would also be prompted to share their review to vitals, healthgrades, etc.. I assume adding our “Survey Link” to their email system would be the best for compliance, but is their any compliance issues with the patient list being imported into our system? Or, sending the list to their account manager for import/upload?

    • Eric, there are two considerations related to HIPAA regarding your proposed service: the privacy of Personal Health Information (PHI) and the regulations concerning marketing that apply to healthcare providers.

      With respect to the privacy of PHI, we take a conservative approach, specifically that even the minimum information that a person has visited or received services from a health care provider can be considered PHI. And in some states, even an email address is considered identifying information. We therefore strongly recommend the healthcare provider organization obtain written consent from the patient to use or communicate with the patient via email. And it is not enough to give patients an option to opt out of after receiving an email communication from a medical provider. The damage may be done just by means of the first email, e.g., an email from a mental health provider that goes to an email account that other family members can access – and who did not know of visits to the mental health provider. And then there is the issue of sending lists of patients over the internet. Unless the email application in use is encrypted, or the file with patient information is encrypted, it is extremely risky to send files with PHI over the internet.

      The HIPAA Omnibus Final Rule of 2013 also contained some important clarifications and extensions on the use of PHI for marketing purposes. See our blog on the topic at While a healthcare provider sending its patients a survey about the experience the patient had at that provider may be permitted without specific patient consent to use PHI for marketing, a third party Business Associate sending such a survey (presumably being compensated for the service) definitely seems to fit into a category where patient consent to use PHI for marketing purposes is required.

      You may also find that many healthcare providers “know” about HIPAA and the restrictions, etc., but they do not really know about HIPAA and the digital environment that you and your clients will be operating in. We recommend vendors such as your organization become experts in the area, knowing for instance that files with PHI should not be sent unencrypted over the internet; that your clients need a Business Associate Agreement to share PHI with you; that healthcare providers should get written consent to communicating with their patients via email – when the HCP (or a third party acting on its behalf) is initiating the communication; that any Covered Entity or Business Associate creating, using or storing PHI electronically needs a HIPAA Risk Assessment – and showing them documentation of yours!

      There are many instances of breaches of PHI reported, most involving loss or theft of devices such as laptops. There have been a couple of fines levied due to potential breaches (firewalls left down, etc.). The point is, when there is a breach, or a complaint from a patient that their PHI was disclosed without their authorization, and an HHS Office of Civil Rights investigation starts, they never look at just one issue. They do a top to bottom review of policies, procedures and practices related to privacy and security of PHI and ePHI. That’s when missing components of safeguards come to light, and the fines start to add up! There is just no substitute for doing it right the first time!

  6. Most references to HIPAA (and HITECH) seem to be about hospitals, physician practices, medical insurance companies, and other truly medical professions. However, there are types of businesses that use PHI and are still considered covered entities, such as case management and other human services organizations. Employees of such organizations are often working in the community rather than in an office setting, and must frequently communicate with one another, with the clients directly, and with other providers. Email is often used because of its ease (smart phones), its immediacy, and the ability to communicate with more than one person at a time. Even an encrypted email system presents as a challenge because the receiver of the email must go through multiple steps to access the information (which is particularly difficult for those who are not as proficient on the computer). Certainly, encrypting the email is preferable, but if encryption is not used, is it acceptable to use initials of the person, along with a description of the issue (which is generally not a medical problem but a social/familial issue)? Also, what do the rules say about text messaging?

    • Unfortunately, there are no differences in the requirements for safeguarding PHI based on the setting in which you work, or the type of services provided. A breach that occurs because of a case manager or home care nurse who loses a laptop out in the community is no different than a breach that occurs because the lost or stolen laptop was used in a hospital or medical office setting. The Office of Civil Rights of HHS that investigates breaches will view the lack of use of encrypted email to send PHI because of perceived lack of proficiency on a computer as a training issue the organization should have addressed as part of its risk assessment. In other words, the device and the setting do not matter when it comes to safeguarding PHI. Organizations are expected to assess their risks, and take steps to mitigate those risks while still getting their respective jobs done.

      Use of non-encrypted email may be acceptable when the subject does not include PHI – information on the healthcare services a person is receiving, the diagnosis, the provider, etc., etc. Even social/family issues may require some contextual issue that is related to the items above, in order for the recipient to understand the issue. So why take a chance that an employee may disclose information that is PHI while trying to convey other information that is not PHI? And using initials or some other combination of identifiers may cause confusion when you inevitably have a situation where the identifiers (like initials) apply to more than one person.

      Texting is not considered a secure method of transmitting or storing texts containing PHI. Some carriers may store the text messages for a time, meaning they could be read by someone else. And not everyone protects their phone in the event of loss or theft, again leaving PHI potentially unprotected. In any case, it is highly recommended that you undertake a risk assessment to document your strengths and weaknesses – an then take action on the findings!

  7. My company is interested in doing some email marketing with patients. Do you have or do you know where I can get, a patient email release/consent form that complies with HIPAA? Can I use this same email consent form for employer/OCC Med marketing? We are interested in sending non-patient specific health tips of the month…flu season/shot reminders/workplace safety tips– nothing that could be construed as confidential but it will be coming from a medical office so it appears that HIPAA rules will be applicable in using email marketing communications.

    • Margaret, there is no particular “HIPAA compliant” consent form to patient email communication. Here is a line from the Patient Emergency Contact Information Sheet we recommend practices utilize to record patient communication preferences.
      “(Practice Name) may send me email messages such as appointment reminders at the following email address: . (Leave blank if you do not wish to be contacted via email.)”

      There are also new rules regarding marketing to patients that you should review prior to starting any kind of marketing to patients, via email or otherwise. Check out our recent blog on the topic at

  8. A hospital requested that I send them information via email related to procedure billing which includes information protected by HIPAA. Are there safeguard or obligations for covered entities related to inbound emails if they requested them?

    • There are no special rules for covered entities that share PHI using unencrypted email. I will be no defense if you are found to have caused a breach that “the hospital told us to do it”.

  9. Hi,
    I am a HIT student with an assignment to compose an email asking a physician to submit a new dictation for a patient surgery because the original was misplaced. It is my understanding that PHI can be included in an encrypted email. Am I correct in this, or should PHI be excluded even if encryption is used. Thank you for your help.

    • Terry, using an email application which uses at least 128-bit encryption is generally considered to be safeguarding any PHI contained in the email. So provided the encryption algorithm of the application meets that standard, you should be meeting the standard.

  10. I just started working for a nonprofit patient advocacy group as their Development Director. I want to improve their ongoing communication with their various support bases through the use of an email marketing service (i.e. Mail Chimp, Constant Contact, etc.). Some of the individuals in these support bases are patients with a specific genetic condition that the organization provides support services to, others are not.

    As I’m sure you are aware, to use such a service we would need to upload lists containing names and email addresses. This communication would never contain any PHI and would never identify any person as being someone who is receiving support services or is a general interest contact – it would always be general info such as agency accomplishments, updates on scientific research, upcoming events, etc.

    The organization has never done this type of outreach to their support audiences before, so no prior authorization for an email marketing service has been obtained. All emails would have the ability to opt-out by clicking a link within the email.

    What needs to be done on my end so we may include the patients we support/advocate for in our general communication efforts and still remain HIPAA compliant? I’ve read the other blog post you’ve referred to in this thread, but am unsure how a nonprofit advocacy organization fits into this mix.

    • Jennifer, you mention that your organization provides support services to some of the potential addressees of your email campaign, and since, per your website, you are offering genetic testing, you would be considered a health care provider for various HIPAA purposes. With that in mind, I recommend you review our blogs on communications involving marketing and fundraising communications. You definitely need authorization to communicate with patients on these types of topics.

      You might start with an email (at least to addressees who are patients) announcing your plan to begin publishing information (including the type of content) to your support bases via email, and give the addressees the option of continuing to receive such emails, or opting out of receiving them. Then you can send them to recipients who are on record as wanting to receive these communications. This may cut down on the number of people who want to receive these communications, but an opt-out only process does not really establish that you are authorized to send such emails to patients, which is the requirement.

  11. I am not sure exactly which blog post you are referring to, but here is a link to a post about marketing that anyone considering email marketing should take note of:

  12. Thanks. It was in reply to a question on 6/17/14. What we are really wondering: We are a pediatric practice. Can we upload parent email addresses to a service like MailChimp or Constant Contact in order to send out a newsletter from our practice? No PHI is in the newsletter itself, but does uploading those email addresses to the email marketing company constitute a HIPAA breach?

  13. The issue in this case has more to do with the use of an email address a parent gave you, and your formal notice about how you will use that email address, plus the method of uploading to the service (it should be via an encrypted channel). In some states, email addresses are considered personal information you are required to keep confidential. If you are collecting email addresses, you should tell your parents/patients what you will, and will not, do with them, e.g., sell them to another entity. And you should make sure the service provider will not do that, either. There should be a “permission reminder” at the top or the bottom of the email.

    If you are sending a newsletter that contains marketing information, you should have permission to send marketing materials to your patients via email, especially in the event a vendor is helping sponsor your newsletter in exchange for the ability to advertise products or services in your newsletter. That is the type of activity that is covered by HIPAA.

Leave a Reply

Excellence since 1989

The Fox Group was founded in 1989 and has provided outstanding healthcare consulting and executive management services to domestic and international clients throughout the United States and Europe.


EnglishChinese (Simplified)GermanFrenchSpanishDutch