HIPAA and Email: there are rules

HIPAA and Email

Part one of a two part series on HIPAA and email.

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email, and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then  it bears repeating that the Internet, and things like email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.

HIPAA and email continued …

So how should healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

228 Comments on "HIPAA and Email: there are rules"

Notify of
avatar
Sort by:   newest | oldest | most voted
Ryan Thomas Neace, MA, LPC, NCCC
Guest
So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be… Read more »
naomi
Guest

do you have any suggestions of some HIPAA compliant email services?

Marie
Guest

I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?

Laura
Guest

Can a pediatric practice email or fax vaccine records to parent of patient without written consent?

Kara
Guest

I just received an email from my ob/gyn about a health fair they are having. I can see the names of all recipients of the email. Is this a violation?

Shanin Smith
Guest

I recently received email correspondence from a government body with a different person’s name and address. Is this still considered a violation of hippa?

Barbara Dorry
Guest

Is it PHI under HIPAA if a patient’s name is included in an email regarding a) a check that was received by a practice or b) a bounced check paid to the practice by a patient?

Suzanne Knepp
Guest
My employer plans to replace a patient portal product in the future. The patient portal allows the patient to send secure messages to their care provider as well as view lab results, renew prescriptions and schedule appointments. With the current patient portal, the patient’s email address is collected and stored as demographic data. When it comes time to bring the new patient portal on line, methods to inform current patient portal users are in discussion. One of the options suggested is to send a “blast email” to the patients who are actively using the current patient portal. Notifying by email… Read more »
charles h
Guest
My employer is requiring me to Email my Healthy-You results to some third-party person. Joanna (somebody ) at some Email.com. I have no idea who this person is, and under duress of being charged $900 to pickup additional insurance costs, I am having to consider doing this. Not only do I have to submit this information my children covered under the plan also have to submit it. I have no idea what they are going to do with the information. This information will contain my name, and test results. I also have to access their website and fill out a… Read more »
wpDiscuz