Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
Answer from HHS written in 2008
Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply “reasonable safeguards” when doing so.
Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements.
An individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable.
If the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
Answer from Edie in 2015
Yes, you may still send PHI via unencrypted email to your patient. Yes, you must give the patient the right to choose other ways of communications in writing and explain to them the risks if you feel they may not understand.
That being said, since 2008 things have changed. We know there are more and more cyber breaches, emails are more easily hacked and the risks are greater, etc.
Everything said by HHS above is still true. The question is what in 2015, is considered “reasonable safeguards?” You get to define “reasonable safeguards” when taking action but HHS gets to define “reasonable safeguards” when responding to a complaint made by your patient when their information was breached.
Even though you still do not have to encrypt emails, there is no better or more secure way to safeguard your patients PHI when communicating by email.
Make the change to encrypted email delivery service such as sendinc.com. For $5.00 a month you can apply “reasonable safeguards” of PHI from unintentional disclosure. HHS says any encryption is considered the most highly effective way to protect your patient’s health information.
Also, always check the email address entered and send a test email to your patient to be sure their email address is correct. Ask them for a verification reply.
Then to be doubly sure everything is secure, put a password on the files being sent. Most files can be encrypted with a password. Microsoft Word is very easily done. Use a password that you and the person receiving the information would know, such as: date of birth, last four digits of their insurance number, their name of the street they live on, etc. Write that into the instructions in the email.
The definition of “reasonable safeguards” is changing and it is up to you to protect your patients’ health information in the best way possible.