Does HIPAA Prohibit the Sending of ePHI via Email?

The short answer is “No,” but as one of the many areas in HIPAA that are not crystal clear, “it depends” and judgment is involved. I’ll draw from an HHS Office of Civil Rights publication in providing the long answer. The Privacy Rule allows covered entities to communicate electronic protected health information or “ePHI” electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.

What are reasonable safeguards? HHS first advises a couple of common-sense precautions that should be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email to the patient for address confirmation prior to sending the message containing the ePHI.

HHS also advises that, while the Privacy Rule does not require the use of encrypted email for treatment-related communications between healthcare providers and patients, other safeguards should be applied to unencrypted emails in order to reasonably protect privacy. For example, senders should limit the amount or type of information disclosed through an unencrypted email.

Lastly, HHS makes a point about individual choice. Under the Privacy Rule, an individual has the right to request a covered entity communicate with him or her by alternative means or at alternative locations, if reasonable. For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via email, rather than on a postcard, if email is a reasonable, alternative means for that provider to communicate with the patient.

By the same token, however, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a health care provider using email. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.