Is it possible to email patients in a HIPAA compliant manner? What can and cannot be included in an email to patients? What does HIPAA have to say about it? These questions have long been on the minds of providers as they attempt to navigate towards greater messaging options without opening themselves up to breaches, penalties or fines. Before determining if HIPAA and email can effectively coexist, let’s take a step back and understand what the HIPAA Privacy and Security rules allow.
HIPAA Privacy Rule
Per the Office for Civil Rights (OCR) of the Department of Health and Human Services webpage, “The HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”
OCR then goes on to state if the patient reaches out to a healthcare provider using email, the provider can assume that email communication is acceptable. If the provider feels the patient does not understand the possible risks of using un-encrypted email, the provider should alert the patient and ensure that they want to continue with email communications.
Additionally, the Privacy Rule states that patients have the right to request a provider communicate with them by alternative means if reasonable; “For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.” See 45 C.F.R. § 164.522(b).
HIPAA Security Rule
The HIPAA Security Rule does not prohibit the use of e-mail to send ePHI, however, it does outline some standards to protect and guard the integrity of unauthorized access to ePHI. Sited from the OCR website, “However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”
Recap of the Privacy and Security Standards:
Providers may e-mail patients but they must take precautions.
Should the patient request his/her provider use e-email, the provider must take the necessary steps to ensure the ePHI is protected.
As a standard practice, providers should warn patients about the risks of e-mail communications.
Information shared over an open network increases the likelihood of unauthorized access.
Best Practices for HIPAA Compliant Email
Below is a list of some best practices to ensure compliant e-mail along with adhering to the Privacy and Security Rules:
- Encrypt e-mail messages – If the provider is not using a patient portal or e-mail application, encrypt any/all sent e-mail messages and avoid sending any PHI. Additionally, any attachments (specifically those including PHI) should be encrypted as well.
- Capture each patient’s consent to receive communication by email – Include a communication consent form within the patient on-boarding forms to verify communication preferences and allow patients to opt in or out of e-mail correspondence.
- Utilize a secure, HIPAA compliant email application – There are many email applications and servers designed to offer providers a HIPAA compliant e-mail offering.
- Message patients through an EMR portal – A secure EMR portal is the perfect place to send HIPAA compliant messages to patients. Patients may log in to view appointment reminders, test results and physician/nurse messages without the threat of unsecured e-mail.
We’d Love to Hear From You!
For additional questions/comments on how to approach patient e-mail communication in a secure manner, contact us at firstname.lastname@example.org.
Offering secure e-mail is just one part of a providers responsibility to build a compliant culture for patients and employees. We advise all providers to start by completing a Security Risk Analysis to create a baseline for security. To speak with a member of our sales team, Contact Us.