So, you’re a health care provider, asking yourself, “Does HIPAA allow me to use email to communicate with my patients?”  Well, the short answer is this: You can use email, but you need to be careful of what you send and who you send it to.

The US Department of Health & Human Services has published an extensive and useful set of guidance documents to help understand HIPAA privacy.  This discussion of email use in patient communication references the section covering the Privacy and Security Framework.

The point of HIPAA regulations is to keep protected health information protected.  A good rule of thumb is to limit the amount and type of information disclosed through the unencrypted email.  In other words, only email personal details that are necessary to deliver your message.

A healthcare provider is allowed to use email and other electronic means to communicate with their patients.  However, they must reasonable precautions to avoid unintentional disclosures, such as sending an email alert to the patient for address confirmation prior to sending the message.[1]

Additionally, the law does not forbid the use of unencrypted email for treatment-related communications. When emailing about treatment, providers must apply safeguards to reasonably protect privacy, such as limiting the amount or type of information disclosed.  They should also ensure that when they send protected health information, it is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.[2]

Another thing to consider is whether or not that patient wants to be emailed, and what to do if they want not to be emailed.

If you’ve never been in email contact with a patient, it’s advisable that you take precautions before sending an email, such as sending an email alert to the patient for address confirmation prior to sending the message.  If a patient initiates communication, you can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. [3]

The law also states that you must accommodate a patient’s request to receive communications of PHI by alternative means or at alternative locations. If a patient tells you they prefer not to receive unencrypted email, you must offer and accommodate other means of communication, such as by more secure electronic methods, or by mail or telephone.  You must also offer and accommodate requests to use email,  if email is a reasonable method of communication for your office to use. [4]

One last note: if you’re concerned about your potential liability, or you feel that your patient may not be aware of the possible risks of using email, you can inform your patient of these risks and let them decide if they would like to continue receiving email.

In summary, it is legal to email your patients, including unencrypted emails containing treatment-related information.  To protect yourself, you should make sure that you take the following steps:

• Accommodate a patient’s request for preferred method of communication
• Make sure patients are aware of the possible risks of email communications
• Confirm your patient’s email address before sending any PHI
• Only email PHI that is necessary to get your message to the patient

Remember, your mileage may vary, and you should consult your legal counsel regarding the specifics of your practice’s electronic communications.

[1,2,3,4] http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf

Photo: jnatiuk