HIPAA and Email: there are rules

hipaa-and-email-keyboard pic

Part one of a two-part series on HIPAA and email.

Email has been widely used by both businesses and the general public for much of the last thirty years, and reliance on it has found its way into the daily lives of millions. In fact, email has been around so long that its use has become passe for some people. This may be due to a quest for newer methods of communication or because email has become as odious as unwanted mail from the post office. In any case, it’s not going away anytime soon, especially for communications between individuals and healthcare providers. Many providers use email to communicate with patients where protected health information (PHI) may be exchanged. These folks should consider the HIPAA compliance requirements to protect PHI from unauthorized disclosure.

In this Article …


Is Unsecured email HIPAA Compliant?

It bears repeating that the Internet, and things like an email sent over the Internet, is not secure. Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. What is increasingly common is that a patient’s email address has been entered into a record with errors. So, the email doesn’t get to the patient but does go to someone else who actually has the incorrect email address. This means the first rule of avoiding unauthorized disclosure of PHI is to get the email address right!

Need to speak with a HIPAA expert?

HIPAA and email can coexist … it’s a matter of understanding the rules

What do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email? Many people are looking for specifics on HIPAA-compliant emails. HIPAA compliant email is discussed in the HIPAA FAQ pages. But like much of HIPAA, people in covered entities start with the premise they are to protect PHI. But they should be using reason to think about how they are protecting PHI.

Under many HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable? The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) includes several statements on its HIPAA FAQs page. Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.”

The above OCR excerpt gives us some guidance, but there are always more questions and nuances with such things when attempting to put them into daily practice. So let’s explore some of that.

What if a patient initiates communications with a provider using email?

The OCR says: “Patients may initiate communications with a provider using email. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue email communications.”

Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via email rather than on a postcard, if email is a reasonable alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email correspondence.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an open electronic network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions,
  • It is a good idea to warn patients about the risks of using email containing PHI,
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks. For instance, sending medical records via email should only be done using a secure HIPAA compliant email application. Or if the patient acknowledges you are going to send medical records using an unsecured email.


Short answers to other complicated HIPAA questions about email.

HIPAA compliance is a hot topic these days, and there are many questions about how it applies to email. To get you up-to speed on the most pressing issues, we’ve compiled this list of some common queries and their answers!

Can protected health information be emailed? Yes, but take care to make sure the email address is correct and the patient has agreed to receive emails containing PHI – even if you encrypt them.
What is required for HIPAA compliant email? Patient consent is highly advisable. Encouraging patients to send messages via the patient portal in your EHR system is a good way to attain secure communications. Utilizing a secure email application is also a way to ensure the PHI in an email remains private.
Is encryption of email required for HIPAA compliance? No, but see #2 above for strategies that are highly advisable for protecting PHI.
What is a HIPAA compliant email application? HIPAA compliant email, or secure email, is usually a separate application from email applications like Gmail, Outlook, or Apple Mail. A secure email application encrypts the text of an email, plus any attachments. The recipient receives a notification via email and is directed to a website where they can log in and retrieve the text or information in the email.
Are patient names and email addresses considered PHI under HIPAA? Yes. HHS specifically states: “Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

In the parenthesis in the line above, it’s easy to extend that list to things like “email address, phone number, IP address”, and more.

Is email correspondence between doctor and patient part of the medical record? If the email correspondence is related to the patient’s care, it should generally be included in the medical record.

HIPAA and email continued …

So how should hospitals, medical practices and other healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Comments are closed.