HIPAA and Email: there are rules

HIPAA and Email

Part one of a two part series on HIPAA and email.

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email, and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then  it bears repeating that the Internet, and things like email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.

HIPAA and email continued …

So how should healthcare providers ensure they’re using HIPAA compliant emailI’ll cover that in Part II of this series.  Stay tuned.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

228 Comments on "HIPAA and Email: there are rules"

Notify of
Sort by:   newest | oldest | most voted
Ryan Thomas Neace, MA, LPC, NCCC
So…In light of all this, I have a question regarding HIPPA compliant email protocol for a clinical counseling practice. In communications with our phone answering service, they will often email us to let us know our clients have scheduled appointments using abbreviated names. For example, for “Bobby Howard” they might say, “Bobby Ho called today and scheduled an appointment for DD/YY at XX pm.” It’s terribly confusing to me, especially given that we might have a client actually named “Bobby Ho”! So, can client full first and last names be used? If not, I think a preferable alternative would be… Read more »

do you have any suggestions of some HIPAA compliant email services?


I have an ex-spouse who is trying to have emails I send to my son’s therapist forwarded to him. These emails are very private and include information about how his day/week went and my own personal concerns about situations.
It’s obvious this is an issue of control and I’m aware of HIPPA. When it comes to my emails to the therapist, does my ex-husband have access to them or do they remain private?


Can a pediatric practice email or fax vaccine records to parent of patient without written consent?


I just received an email from my ob/gyn about a health fair they are having. I can see the names of all recipients of the email. Is this a violation?

Shanin Smith

I recently received email correspondence from a government body with a different person’s name and address. Is this still considered a violation of hippa?

Barbara Dorry

Is it PHI under HIPAA if a patient’s name is included in an email regarding a) a check that was received by a practice or b) a bounced check paid to the practice by a patient?

Suzanne Knepp
My employer plans to replace a patient portal product in the future. The patient portal allows the patient to send secure messages to their care provider as well as view lab results, renew prescriptions and schedule appointments. With the current patient portal, the patient’s email address is collected and stored as demographic data. When it comes time to bring the new patient portal on line, methods to inform current patient portal users are in discussion. One of the options suggested is to send a “blast email” to the patients who are actively using the current patient portal. Notifying by email… Read more »
charles h
My employer is requiring me to Email my Healthy-You results to some third-party person. Joanna (somebody ) at some Email.com. I have no idea who this person is, and under duress of being charged $900 to pickup additional insurance costs, I am having to consider doing this. Not only do I have to submit this information my children covered under the plan also have to submit it. I have no idea what they are going to do with the information. This information will contain my name, and test results. I also have to access their website and fill out a… Read more »
Crystal D.

I am finding that, even after attending a HIPAA webinar, the e-mail rules are not the clearest. My specific question is, would it be okay to send e-mails using Microsoft Outlook/Outlook Web App, within our organization, including the first initial, last name, and DOS? For example, “Can you please fax the report from J. Doe’s 01/01/0001 visit to the insurance?” If not, what amount of information would be acceptable to send from one individual to another, within our organization, only?



We are testing our care portal. So to remind patients to access their portal for an upcoming appointment can we send an email from Microsoft office 365 (hipaa compliant) to the patient with a notice to check our care portal for “a secure announcement”. Also put the disclaimer and warning at the bottom that the should share only minimal ephi and are encouraged to use the portal to send secure messages back to our office rather than replying to our careportal email back. what do you think


Is it a violation if you email a co-worker a patient refund request? It would include patient name and address and the dollar amount?


We are in the process of updating our policy regarding mailing medical records to authorized parties, i.e., insurance, auditors, etc. I’m having difficulty finding information on emailing an entire record (encrypted). Am not necessarily seeing anything prohibiting the use of encrypted email to send patient records. But I’m not really seeing anything addressing the complete record either. Thank you very much

In my pediatric practice we use a secure patient portal and we just started using constant contact to send newsletter type regular emails to our patients that contain no PHI. My Partner just received a “Happy Birthday” email from his car dealership on his Birthday. He would like to send “Happy Birthday” emails via Constant Contact to all our patients as their birthdays come up as a nice gesture and a subtle reminder to make an appointment for their yearly visit if they have not made one already. If these insecure emails go out with a first name and no… Read more »
Mary Lou

I just requested a billing company send me a fill statement of services, not kist the total bill. I asked that it be emailed. She refused citing HIPAA. I said I would send am email authorizing this email and releasing them. I was told this is not allowed under HIPAA. This seems foolish. My bill, my services, my consent. What’s the problem? True or another “we can’t do anything because of HIPAA” excuse?


Mary Lou

Thank you very much for offering your opinion. I appreciate it!

If a person accidentally emails a spreadsheet to a non-corporate mailing list containing information of a community clinic program (like a Yoga class) associated to a hospital department with names, addresses, phone numbers, age, a diagnosis (not codes – just words – spinal, cva right side), and payment status (no other financial info)? The names could be former patients or community members involved in the program. Their is no identifier stating they were or were not a patient of the hospital, just that they did or did not pay for participation in the clinic program. We consider them clients of… Read more »
Hester Davies
Hi. I am trying to firm up our email policy for the interim period before we are able to invest in an encrypted email system that will be internal to a new portal system for our organization. We need to be able to email a prescription medication name and some type of identifier for the patient in order to clarify a prescription order for that patient. We only communicate by email with providers – not patients. In your response to Crystal D in #10 above, you suggest using an account number instead of a patient name to communicate with patients… Read more »

what is the info is a pdf with just a first name and room number and details about status of patient?

Hello, My wife is participating in a clinical study. The lead investigator sent an email communication to the study participants and my wife’s and the other e-mail addresses are all visible to the other recipients and other investigators and physicians. At least my wife’s, and it appears that many of the other e-mail addresses contain first initial and last name information. Your thoughts would be appreciated. Thank you. Here is the text of the e-mail with my redactions: “Dear participants: I am writing to stress your obligation to be at XXXXXX Care Center on the scheduled time and date (something… Read more »
Pamela O

I am not sure if you can answer this, but my question is, now there are smartphones, I had a patient send in a picture of their Rx for medical equipment. Do you think this is acceptable ?

At first, I thought absolutely not, but then I thought how Rx are faxed every day, is there a difference ?

What are your thoughts or do you know where I can get an answer?
Thank you.

Michael R

An email sent through the encrypted email network of the hospital from one student to another containing patient last name and room number?


We use gmail for our inter-office communication. We have a password protected firewall associated with our office computer system. Can we supply patient first name, last name and DOS if we are trying to convey a message between each other. Some of our therapists do not have access to our system with the account numbers of our patients.


Please advise the HIPAA compliance requirements regarding emailing patient x-rays via a non-encrypted email service…to either another dentist or the patient in question.


I am newly married. I work for a group of kidney specialists. I requested to have my email name updated with my new name and was told HIPPA requires it remain the same for tracking purposes. Can you tell me were I can find information on this.

I have a medical office and my email was hacked by an ex-spouse. I have communication with patients on that email as well as with my attorney. The ex-spouse claims that they were given the password to use. That is absurd and I never gave it to them especially since this is a different email address that I started three months after our divorce. I have contacted state police who got information from Microsoft and the ex’s place of employment servers tracking her IP address to the email account and they have contacted the prosecutor but he is wavering from… Read more »
I work in a counseling office. I get clients who quite regularly request me to email them with dates and times available for an appointment with a particular counselor or want they to know when their appt. with “xxxxx” is. They also request I confirm their appt. by email rather than by phone confirmation. I always throw the HIPAA regs. at them stating we cannot discuss PHI via emails. Are we legally able to adopt a policy for our business such as this? A Policy that states: Our office does not handle appointment confirmations, scheduling or canceling via email due… Read more »
(Hope this an appropriate question for the forum) As a BA, we are developing a new registration process for clients to use our services. When a new client registers they must create a login name and password. The common practice we see is, a new user uses their email address as a login name. Here’s the concern, small practices use free email services like Yahoo, Gmail, etc. and we are concerned about the security of an email address as a login name. Would it be more HIPAA compliant to require them to use something other than an email address as… Read more »
My web host (Bluehost) does not sign BAAs for the HTTPS secure websites on their server and they do not guarantee HIPAA/HITECH compliance with a HTTPS. I have a private dedicated server on Bluehost that hosts my HTTPS website. I would like my employees and physicians to enter ePHI into an online form, excluding the patient’s name. The identifier will be a medical record number from the billing company. This information is stored on the website and accessed directly, none of the ePHI (surgeon, anesthesiologist, time, ICD, CPT, quality data, etc.) is ever emailed or leaves the website storage on… Read more »

Hello –

If we have a patient who has recently changed their phone number and we are unable to reach them via phone but we do have their email address, would it be permissible to email them to contact us to update their phone number even if we have not obtained their permission to email them? Would this be part of “healthcare operations,” or would it be considered a HIPAA violation?

Vince DiFrancia

I have a medical condition that requires me to find a donor for transplant. I want my personnel group to send a mass e-mail describing my condition and will absolve them from HIPPA laws. Is there any canned forms in PA for absolving employers from distributing these types of e-mails where the employee is asking for help?

Gina Consolini R.N.

Excellent site, very helpful

I’ve had problems with the billing dept. at my doctors office. First they yelled out my current bill information to an entire wishing area & had patients complain about how it was handled. Secondly they emailed me and copied multiple people in their office including my doctor which has now impacted our relationship. This was part of the email: It was brought to my attention that you had another visit with Dr. ******* on 2/10/2015 in our (specific) office and you could only afford to pay $5.00 toward your past due balance of $191.56. As I stated to you on… Read more »

I was sent an rude email from my job regarding a patients insurance that was inactive. The insurance was Medicare. If you’re familiar with Medicare you would be aware that it states the patients social security number on it. To be ” precise and smart” she then sent me a copay of the patients Medicare card. It wasn’t even an attachment. It was a copy printed on the email and I believe his dob was in this email as well and his full name. Is that not against hippaa ? From my understanding internet use is not secure.


Can a probation department in Texas send medical information electronically to a Intermediate Sanctions Facility without violating Hipaa law?


I work for a government medical facility. Recently one of our supervisors sent out an email to educate staff on a certain procedure of calling the MD when a patient has been admitted to an off site facility. The email was not encrypted, contained the patients name, identifying government patient number, housing, procedure done and date of procedure. Would this be considered a HIPPA violation?


our company uses outlook with office365, when sending shift reports ,is it Compliant to give first name and medication name and dose. The email is going out to an all staff group on the email.

Our office has a lot of problems with patients not showing up for their scheduled appointments, would it be a hipaa violation to send an email to a patient regarding their missed appointment? It would only have their first name and would state that they missed their appointment and that a “no show” fee would be posted to their account. It would not have the date of the appointment or any other personal info. Also, would it be a hipaa violation to send an email to a patient letting them know that they have a balance in our office and… Read more »
Tawnia G

Question. The VA is now using a program called MyHealtheVet. It allows Veteran patients to view certain medical information, and allows the Veterans to communicate with their provider/nursing team. My concern is that a non-medical MyHealtheVet representative is able to actually view the email communication – they tout the reason to be able to do so to ensure that the patient’s medical team receiving the message has acted upon it. Is this a form of a HIPPA violation? I’m not comfortable knowing that someone other than who I send the message to can see it possibly.

I will need to communicate via email with our clinical staff who are offsite. We do not have an encrypted system so we are thinking about using patient initials when discussing health information. In review of the above comments, I’m thinking even just initials would be a violation and it might be better to come up with a numbered identifier when communicating via email between clinicians. As far as I’ve read, when communicating with clients about PHI via emails, it would be acceptable if they are fully aware the system is not encrypted and have signed a statement to that… Read more »
Our small Physical Therapy practice has started sending out our New Patient Forms via email after asking them on the phone if they would like to have them sent via email to save them the time of having to fill them out after they arrive for their first visit…which can be a slow process for some people as their are 5 or 6 forms. We ask that they bring them in with them, and we don’t use the last name in the email. The forms are blank of course, but some of them are geared towards specific diagnoses ie a… Read more »
Virgil Franklin

I am a member of a homeowners association and on occasion, I receive e-mail from our governing board, in bulk form. Everyone in the association receives the same information. My question is would the laws regarding e-mailing be violated if members responded by using the “Reply to All” button? In that instance, everyone who received the original e-mail would see the response.

Kent Bakken
here is my question. I am a Remote Paramedic in Alaska working in the fishing industry, we use a Physician resource group out of Seattle WA for Medical control and Medical consult for any procedures above the standard paramedic level of training (sutures, etc….) or any Rx medications (antibiotic for infections etc…)however, I am in a rather heated debate with the medical provider over the transmission of HPI. the company I work for has a secure internal server and the medical physician group has a secure internal server, however, if I send an email outside of our internal users then… Read more »

My dental provider sent out a mass email to all patients in his practice “advertising” his new non-dental related business. Is this a HIPAA Violation if so where can I find the laws on this? He did violate the doctor/patient relationship, I just want to know if there is any legal recourse.

Bob Leary

Are consumers allowed to substantiate FSA claim receipts via unsecured email with their FSA claims administrator, I’ve had different experiences with different providers.

Some allow email of receipts, some tell me it can only be faxed because email is a HIPPA violation.

Can a statement or ledger of charges I incurred at Dr’s office be emailed to me ….when I request it? I wanted to see charges from one day, itemized out. (needed it for flex card inquiry) I ask that they email it to me. He stated due to HIPPA they cannot email but they can fax it or mail it. At my office the faxes come into an Admin Room where others can see the fax, print the fax, read the fax, everything is there for all to see. (It is not medical info per se but because of the… Read more »
Jim, We correspond with the billing office; part our organization, and send internal encounter numbers in the subject line. This encounter number is associated to the patients visit for the date of service we are referring to. Our Compliance Officer just informed me that we are in HIPPA violation. This is really the first time that I have heard of this and wondered where it came from. Hence, I found your site. Could you give me the HIPPA violation we are committing so that I can send out an e-mail to our billing office? We thought we had a fail-safe… Read more »

I wasn’t able to read each entry in this string, so I apologize if it’s been previously covered. My question invloves medical record requests.

Our practice frequently sends entire medical records to our patients’ attorneys. The requesting attorneys always send a release with their requests, except for the cases of workers’ comp requests, which they claim is not legally bound by HIPAA regulations.

Can medical records be sent via email, if all of the prescribed precautions and privacy measures are adhered to?

Jim, We are implementing a new system, but in order to communicate with some of our own employees from the system we would not have secure email as we do within our own system. My question is what information can I use to notify a dept that i need a record scanned, or a status changed, or a denial was issue? I know I cannot use the name, but can I use the hospital stay number (acct number) all by itself, or would that number be considered a hipaa violation even if it is not coupled with any medical info?… Read more »

We outsource our billing. The billing company occasionally emails us patient names and dates of service when they need additional info to submit the charge. Hipaa breach?