HIPAA Compliant Email: some proactive strategies

HIPAA Compiant Email

Part two of a two part series on HIPAA and Email

In Part I of this post, we reviewed some of the statements that the Office of Civil Rights (OCR), the Privacy Rule enforcers, include in their on-line FAQs relevant to HIPAA and email rules.  And now that we’ve got a better understanding of those rules,  let’s explore how medical practices and other providers can ensure they’re using HIPAA compliant email.  After all, knowing the rules is one thing … but putting them into practice is what’s going to keep you and your healthcare organization out of trouble.


5 strategies for achieving HIPAA compliant email

Like so many other things with HIPAA compliance, there’s not one, singular answer that addresses the question of what constitutes HIPAA compliant email.  However, the options addressed below represent a collection of first-line strategies that go a long way toward addressing HIPAA email regulations.

  1. Be the expert on the topic of HIPAA compliant email on behalf of your patients.   This means making sure you have appropriate notices visible, both on-line and in the real world, warning patients about the potential security risks of transmitting protected health information (PHI) using email over the non-secure portion of the Internet.  For instance, many practices include a page for submitting questions to the office via email.  Consider posting a statement that warns about security prominently on that page, such as:
  • “Please keep in mind that communications via email over the internet are not secure.  Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.
  • Please do not include personal identifying information such as your birth date, or personal medical information in any emails you send to us.  No one can diagnose your condition from email or other written communications, and communication via our website cannot replace the relationship you have with a physician or another healthcare practitioner.” 
  1. Document the patient’s consent to receive communication by email.  Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails.  Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas.  If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.
  1. Use an EHR system with a patient portal function.  If you’re using an EHR system with a patient portal function, encourage patients to use the portal’s capabilities for secure communications.  Most portals utilize secure channels for the information available via the portal, but make sure the vendor certifies that to you – and then test it yourself prior to encouraging patients to use it.
  1. Consider signing up for a secure, HIPAA compliant email application.  If you must use email to communicate with patients,  a secure email application will protect your communications by using secure channels to send those emails.
  1. Manually encrypt transmitted files.  If you don’t have a patient portal and don’t want to use a secure, HIPAA compliant email application, avoid including PHI in the text of email, and encrypt any files containing PHI that you are sending to patients.


Use HIPAA compliant email practices … sleep well at night

It is not far-fetched to think that one of these days, the OCR, while investigating a complaint from a patient about a privacy violation, determines that a provider was disclosing PHI when HIPAA Compliant Email for Secure Patient Communicationcommunicating via email with a patient.  And that every such email constituted an unauthorized disclosure – a breach.  And that every such email to any patient was a breach.  It might not take long to get to a breach involving more than 500 patients, with all the attendant notices to the media and reports to the Secretary of HHS that would entail.

Don’t be the practice or provider that finds itself in that unenviable position, simply because you didn’t pay enough attention to establishing HIPAA compliant email with your patients!

Email will be around for a while, in healthcare and so many other areas of our lives.  It’s a great tool, but like any tool, must be respected for its power – both for communications we want and for the potential to disclose information we want kept private.

Using email in healthcare requires more effort and safeguards than in other areas, but it certainly is possible to mix the two.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

92 Comments on "HIPAA Compliant Email: some proactive strategies"

Notify of
Sort by:   newest | oldest | most voted

HI – I want to start communicating with patients about appointments on email. Is using an online email such as yahoo or gmail considered HIPPA safe if all the necessary precautions and disclosures as you stated above are met? If so, is yahoo or gmail considered more secure than the other?

Mark Heavey


Gmail and Yahoo are not HIPPA compliant. Even Microsoft exchange is not there yet. I recently saw a medical practice that had the office Yahoo account attacked. All the email was deleted. All the contacts were mailed a “Nigerian Money Letter” using the Dr.’s credentials and name.

Mark H.
Microsoft Certified Professional
Novell Certified Administrator

Mark D.

Does anyone have any experience with email applications/servers that offer these services, such as MDofficemail?

I am a solo practitioner in a rural setting and do not use this much, but I do use it and need to make it secure.

Thanks for any input.


In reference to initating an email conversation with a patient (the patient provided an email address) is it ok to send a mass email out with a general message to prompt each individual to contact the office. As long as no personal patient information is included. The only information that may be taken away from the email is the actual email address (no patient name, or any other PHI attatched?


Is the use of only a name in an unsecured/unencrypted email considered to be PHI if no specific discussion is taking place on medical/health issues? i.e. email discussion with coworkers at a health plan about premium payment or enrollment for a specific individual?

I’m VP of Operations of a Reputation Management Tool that helps businesses build online reviews. We’re considering moving into the health industry, and am curious if our process would be in violation of HIPPA. To execute our system, a physician’s office would create a survey in our system and then either add our “Survey Link” to their email marketing/email client or import a patient email list into our system to send the surveys to their patients. Their patients would have the option to complete the short survey, or not, and opt in/out to allow the practice to share the review… Read more »
Most references to HIPAA (and HITECH) seem to be about hospitals, physician practices, medical insurance companies, and other truly medical professions. However, there are types of businesses that use PHI and are still considered covered entities, such as case management and other human services organizations. Employees of such organizations are often working in the community rather than in an office setting, and must frequently communicate with one another, with the clients directly, and with other providers. Email is often used because of its ease (smart phones), its immediacy, and the ability to communicate with more than one person at a… Read more »

My company is interested in doing some email marketing with patients. Do you have or do you know where I can get, a patient email release/consent form that complies with HIPAA? Can I use this same email consent form for employer/OCC Med marketing? We are interested in sending non-patient specific health tips of the month…flu season/shot reminders/workplace safety tips– nothing that could be construed as confidential but it will be coming from a medical office so it appears that HIPAA rules will be applicable in using email marketing communications.


A hospital requested that I send them information via email related to procedure billing which includes information protected by HIPAA. Are there safeguard or obligations for covered entities related to inbound emails if they requested them?


I am a HIT student with an assignment to compose an email asking a physician to submit a new dictation for a patient surgery because the original was misplaced. It is my understanding that PHI can be included in an encrypted email. Am I correct in this, or should PHI be excluded even if encryption is used. Thank you for your help.

I just started working for a nonprofit patient advocacy group as their Development Director. I want to improve their ongoing communication with their various support bases through the use of an email marketing service (i.e. Mail Chimp, Constant Contact, etc.). Some of the individuals in these support bases are patients with a specific genetic condition that the organization provides support services to, others are not. As I’m sure you are aware, to use such a service we would need to upload lists containing names and email addresses. This communication would never contain any PHI and would never identify any person… Read more »

Can a medical office email photos of patients faces and or body part?
Thank you.


I work for a hospital surgery department. We have a surgery scheduler that will send emails to specific employees and reps about certain procedures. Some of these emails are not through our hospital system, but gmail, hotmail, or aol accounts. If any, what information is okay to send to those people? Would it need to be something as simple as the Date, Surgeon and Procedure?

IT Person
I was reading through your blog on HIPAA and I was wondering if you had any insight on if another company can force you to use their technology to send secure emails. For example, our company has on their mail server a McAfee technology that reads all outgoing mail and determines if it needs to be encrypted. If it does it forces the recipient to have to go to a portal which is secured to be able to view and reply to the message. Another larger company we do business with says they don’t want to use the portal and… Read more »
Ellen B

I have clients that need information sent to a third party such as an attorney, EAP or other medical/mental health practitioners. How does HIPAA apply to sending letters on progress via email to these people even when there are consents to release information on file and a client has signed a release on the letter itself. What identifiers are OK (full name, initials, DOB, SS#) and which one’s are not for an email attachment without encryption or secure files?


Curious about statements/superbills. I am using SimplePractice but need to send patients their statements/superbills with diagnosis & ICD codes. I want to be able to use SimplePractice’s 1-click e-mail button to send these, but their system is not HIPAA compliant. Would I be protected if I had clients sign a form allowing this prior to sending? It’s important to me to make sending these statements/superbills more convenient & streamlined but still want to be safe.

We have several accounts at our practice that have balances on them. In another attempt to communicate with patients in a natural, non-harassing way, we would like to remind them of their balance when they request medical records. Records are requested through our website and a simple, non-identifying confirmation email is sent once the records are processed. Can we include the balance in the email or is that too much information? It would be simpler to send them a detailed statement to proactively answer questions, but if they have not consented to receiving that information via email would it be… Read more »

If a patient requests electronic format is there anything saying I must comply? Please support with the appropriate location in the Privacy Act/HIPPA

Robert Shaffer
I keep having conversations regarding the use of a clients full name in the subject line of e-mail. The e-mails are internal and although we have firewall, the possibility of an e-mail being misdirected is always present. I am of the believe that if we use any naming convention it should be either the first name, as many of the health care providers offices do in the waiting room, or just initials. I have been looking into the regulations and may be misreading them but I don’t see specific mention of using names in the subject line. If there is… Read more »
I work for a company that handles the billing and collections for clients (typically pharmacies and physicians offices). As our office handles multiple clients we are considered off-site and not in the same building as the clients. Therefore, email is the most convenient method for the pharmacy and/or physician’s office to transmit prescriptions, patient reports, patient demographics, etc for the purpose of billings and collections. This information is obviously considered PHI. I want to ensure that our offices, as well as our clients’ offices, are being HIPAA compliant. We currently use gmail as our email server. Prior comments and postings… Read more »

Can coworkers communicating via interoffice email enter a patient’s name in the subject line of the email to one another?

Hello, As an IT person, that occasionally needs to work with our (not medical related) company’s HR data, I recognize that HIPAA exists, and that anything I can see with administrative access should always be considered with utmost confidentiality. I do not claim to know very much about HIPAA in general- I just know, do not pass on the slightest bit of information you obtain in your daily job, that can reveal any personal information at all. As a computer programmer, that has much interest in email security, knowledge of viruses, trojans, bots, etc., I take my own personal email… Read more »

I would like to send a handwritten thank you note to a referring doctor. The patient said it was OK and produced a snail mail address. How do HIPPA rules apply to this sort of communication?


As far as HIPAA is concerned, is it permissible to use client/patient initials or just the first name in emails?


I received an email with our Adult Day Center clients name. The email was not HIPAA compliant what steps do I need to do to correct the situation.

I printed the email then was shredded, then the email was deleted. What else do I need to do?

Thank you

Paul S.
Thank you for this opportunity to ask a question. My concern surrounds a 501c(3) receiving PHI through email for enrollment purposes for medical expenditure assistance. Were the enrollee to submit the PHI for an application in an email to the 501c(3), does this expose the 501c(3) to HIPAA constraints? Once received, it would be in a secure environment and no further transmission (back and forth with the patient, for example) would be required. Additionally, a patient will oftentimes ask in a telephone conversation if this is acceptable and most times dissuaded from doing so and requested to use a fax.… Read more »
William Croninger
I have a question similar to one you answered earlier regarding images sent via email between my cell phone and hospital computer. The images (videos) do not include patient faces and I edit out any tattoos that are visible. Images are of specific joints that we are working on in therapy. The image is transmitted via my personal email account to the work computer to be included in a patient note following a treatment session. Once received on the work computer the image(s) are deleted from the cellphone. I will be giving a workshop on photography in the clinic in… Read more »
Pete Murphy
(Apologies – first post was misleading) I have a question that a few colleagues and I have been discussing regarding the “setup” of an account via a patient portal (for example). One group believe that HIPAA permits a medical system to send an email that contains ALL the login credentials to access ePHI via some sort of portal. The other group believes it’s a HIPAA requirement to split the username login details into one email; and then send the password (and potentially the URL of the portal) to that account via a 2nd email. I’ve tried looking for online resources… Read more »

Hi Jim-
If we are sending emails with in our office, what are the key components that that deem it necessary to use secured email application. For example: Would the name J. Smith (made up) alone require this, or would it be the full name with more information.
Thank you for your help


How should a doctor respond to a new patient if they contacted the doctor via email about general office procedures such as what to expect during a visit, how long is a visit, how early to arrive to do paperwork, etc, and the doctor does not have an encrypted email to respond. Is it considered a HIPAA violation to answer similar questions through a non encrypted email? Will notifying the patient that the email is not secure/encrypted be the first step to take when responding to the patient and then answering their questions?

roger stocker
I am a patient who has requested that my bills be sent via email as an attachment as I am having troubles faxing my paper bills and getting confirmation that my insurance company has received them. My insurance carrier mentions they have an email service which automatically informs customers that they have been received and processed. However, my councilor is not sure whether this information can be sent to me without it being encrypted. He mentions he does not have a way to encrypt. I am willing to take the risk as the alternative is to send it via fax… Read more »
Kathryn Evers

If I am emailing back and forth with a business associate, can we include the patient’s first name and last initial and reference dates of service and be considered HIPAA compliant. I am asking my business associate to use a secure system and she is arguing that she is not being non-compliant in regular gmail only using first name and last initial.
Please advise.


Good evening, is apple email Hipaa compliant for appointment s with patient written , signed agreement in registration forms?


We would like to continue to send thank you referral letters to patients that have referred new patients. Can we do this using the patients first name and last name Initial?


What if a covered entity emails a reminder to a patient (with the patient’s written consent). The reminder asks questions about allergies or changes in the patient medical conditions. The patient’s response would include phi. Would the covered entity have to send the outgoing email securely?

I received a “mass” email from my doctor’s office in which the sender did not bcc the recipient’s email addresses. 270 patients email addresses were disclosed just in the email I received. That was just the first batch of the alphabet. Which in essence is 270 user names disclosed that patients use to log in to the patient portal. As well as my privacy has been violated along with the other 269 people. Not to mention there were email addresses that are recognizable since they are actual names of patients used in their email addresses. I was and still am… Read more »

My ex boss is a radiologist and we email reports to the imaging centers and/or dr.’s via gmail. From what I’ve read, doesn’t seem like that is an acceptable hipaa practice?

My company supports Dr’s offices which often requires that we send/receive emails containing phi. Recently we changed over to MS Office 365 Enterprise license so we can send hipaa secured emails. We add the word “Secure” in the subject line which then requires the receiver to login to read the email. We’ve noticed this has created very negative responses from our clients. They think it’s a giant pain in the neck to have to login to read every single email (which I agree). We’re at the point that we can no longer get many people to answer our requests for… Read more »

I recently had a doctor send me medical records to my email. The attachments were easy to open, just a click no password required. I found out his site is through godaddy.com and his mail through Google.com. Does this sound hippa compliant?


I work for a health insurance agency. as we process paper enrollments we email the agent to let them know that the application as been processed. What information can we give in the email to remain HIPAA compliant? The agents are asking for carrier, client’s name and effective date of the policy. I feel like this much information would be a violation.

Amy Anders
I consented to have my doctor send my invoices to me via email(verbally, I didn’t sign anything). These invoices are PDF files that contain my name, address, and procedure codes. I did not realize that his office assistant would do so using her personal AOL account–but this is what’s occurring. I have advised him that this is a terrible practice. If his assistant quits tomorrow, she has all his patients’ data, including invoices, claim forms, etc. She could get hacked, phished, and so on. He won’t takes me seriously. Theirs is a very small practice, and he’s an older guy.… Read more »

We have a method to send secure emails, but are trying to determine when secure emails should be used, and when emails can be sent unencrypted. We communicate regularly with case managers on patients’ accounts. What identifiers are okay to send unencrypted (full name, first name/last initial, only initials, DOB, SS#, Medicaid #, address, ZIP code) and which ones should only be sent via secure email?


On an unencrypted email I sent to another medical office I wrote “Does Doe have a Group Health auth to see Dr Smith?” I did not use patient’s first name or DOB. I was just chastised by our HIPAA compliance officer for breaking protocol. I fail to see this. Please comment. Thank you.


Is it safe to use a service like MailChimp or Constant Contact for newsletters that are general lifestyle subjects and do not contain any Phi? Because the email address is on this platform is this a consideration? Does the service agreement for this type of provider which includes security agreements cover the safety of their use?