Patient Privacy & Security

You've Got [Secure] Mail: A Guide to HIPAA Compliant Email

Physicians are not prohibited by regulations from using email to communicate with patients, but a HIPAA compliant email is required to ensure privacy.

In our digital healthcare world, HIPAA compliant email is a must for protecting patient privacy and adhering to the law. Accomplishing this goal can be a minefield of IT and budgetary constraints. What should doctors take into consideration when composing a HIPAA compliant email?

Does HIPAA Allow Electronic Communications by Email?

HIPAA regulations require protected health information (PHI) to be guarded during transmission and at rest. The U.S. Department of Health and Human Services (HHS) specifically states that email communications between a physician and patient for the purposes of treatment are allowed. The rules require that healthcare providers "apply reasonable safeguards when doing so." As long as messages do not contain protected health information, the government does not require that email communications be encrypted. When personal health information is involved, however, communications should adhere to security requirements.

The regulations also allow physicians to consult with other providers or third-party payers by email, as long as reasonable safeguards are applied to the communications.

Encryption Explainer

Encryption scrambles data so that it cannot be intercepted and read without a code. When someone sends an encrypted email, only the recipient named in the "to" line can open it. In this same vein, secure networks encrypt all transmitted data while unsecured networks don't.

Devices may also be encrypted, so the information on them is only unlocked with an appropriate code and cannot otherwise be accessed. Devices that access secure information should always be encrypted since they are a front door to those networks. For example, a physician's smartphone can be used to access a cloud-based image repository; if an unencrypted phone is lost, that image library of patient records is open to whomever is holding the phone.

Internal Email Messages Versus External Messages

If a practice's email system is self-contained (the server is on the network) and lies behind a secure firewall, the messages are automatically compliant; they do not leave the entity. When messages pass outside this firewall, however, they need to be protected.

Some email programs offer easy encryption with just the push of a button or by typing the word "private" in the subject line. Practices must put systems in place to ensure that these methods are used when communicating PHI outside of the practice.

Encryption Cannot Avoid Human Error

The best encryption program in the world cannot overcome simple human error. An email addressed to the wrong person, even if encrypted, is a HIPAA violation since the recipient is receiving someone else's protected information. Oxford Academic (OA) suggests using only the minimal personal health information necessary to communicate the message effectively and to avoid using PHI in the subject line. OA also provides an "Email Template for Transmission of PHI" that can be useful in deciding when to use email and what content is acceptable. Physicians should avoid sending highly sensitive information (such as HIV test results or information about drug abuse), and never use email unless the patient has agreed to this method of communication. Most importantly, the sender should always double-check the accuracy of the recipient's email address.

For various reasons, a patient may request that a particular communication, test result or copy of records be transmitted by unencrypted means. The law allows the provider to comply with this request, but only after warning the patient that the communication could be intercepted and read by an unknown third party. If the patient accepts this risk, the provider is compelled to comply with the request.

Finally, practices must ask patients which method of communication they prefer, since not all people will desire email communications. If HIPAA compliant emails are acceptable, they should be encrypted, and sent from encrypted devices.

Federal privacy regulations protect patients from a variety of dangers, such as the embarrassment of their health conditions being known, unscrupulous insurance practices and identity theft. HIPAA compliant emails are a small piece of any medical practice's overall security picture, but they represent a real threat to both the patient and the practice. Violations in healthcare security put patients at risk and chip away at the overall trust of the medical system. Practices should review their privacy safeguards, like writing HIPAA compliant emails, on a regular basis to ensure continuing security for their most important asset: their patients.