HIPAA Compliant Email: some proactive strategies

hipaa-compliant-email-lock pic

Part two of a two-part series on HIPAA and Email

In Part I of this post, we reviewed some of the statements that the Office of Civil Rights (OCR), the Privacy Rule enforcers, include in their online FAQs relevant to HIPAA and email rules.  And now that we’ve got a better understanding of those rules,  let’s explore how medical practices and other providers can ensure they’re using HIPAA compliant email.  After all, knowing the rules is one thing … but putting them into practice is what’s going to keep you and your healthcare organization out of trouble.  So let’s explore some strategies to make sure that happens.


5 strategies for achieving HIPAA compliant email

Like so many other things with HIPAA compliance, there’s not one, singular answer that addresses the question of what constitutes HIPAA compliant email.  However, the options addressed below represent a collection of first-line strategies that go a long way toward addressing HIPAA email regulations.

  1. Be the expert on the topic of HIPAA compliant email on behalf of your patients.   This means making sure you have appropriate notices visible, both online and in the real world, warning patients about the potential security risks of transmitting protected health information (PHI) using email over the non-secure portion of the Internet.  For instance, many practices include a page for submitting questions to the office via email.  Consider posting a statement that warns about security prominently on that page, such as:
  • “Please keep in mind that communications via email over the internet are not secure.  Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.
  • Please do not include personal identifying information such as your birth date, or personal medical information in any emails you send to us.  No one can diagnose your condition from email or other written communications, and communication via our website cannot replace the relationship you have with a physician or another healthcare practitioner.” 
  1. Document the patient’s consent to receive communication by email.  Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails.  Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas.  If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices.
  1. Use an EHR system with a patient portal function.  If you’re using an EHR system with a patient portal function, encourage patients to use the portal’s capabilities for secure communications.  Most portals utilize secure channels for the information available via the portal, but make sure the vendor certifies that to you – and then test it yourself prior to encouraging patients to use it.
  1. Consider signing up for a secure, HIPAA compliant email application.  If you must use email to communicate with patients,  a secure email application will protect your communications by using secure channels to send those emails.
  1. Manually encrypt transmitted files.  If you don’t have a patient portal and don’t want to use a secure, HIPAA compliant email application, avoid including PHI in the text of email, and encrypt any files containing PHI that you are sending to patients.


Use HIPAA compliant email practices … sleep well at night

It is not far-fetched to think that one of these days, the OCR, while investigating a complaint from a patient about a privacy violation, determines that a provider was disclosing PHI when communicating via email with a patient.  And that every such email constituted an unauthorized disclosure – a breach.  And that every such email to any patient was a breach.  It might not take long to get to a breach involving more than 500 patients, with all the attendant notices to the media and reports to the Secretary of HHS that would entail.

Don’t be the practice or provider that finds itself in that unenviable position, simply because you didn’t pay enough attention to establishing HIPAA compliant email with your patients!

Email will be around for a while, in healthcare and so many other areas of our lives.  It’s a great tool, but like any tool, must be respected for its power – both for communications we want and for the potential to disclose information we want to be kept private.

Using email in healthcare requires more effort and safeguards than in other areas, but it certainly is possible to mix the two.


When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Comments are closed.