Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail [emphasis added]. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.
Created 12/15/08
Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013
HIPAA, E-mails, and Texts to Patients or Others
(Stanger, 2015) [selected excerpts/summary]
The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to implement certain safeguards when e-mailing or texting electronic protected health information (“e-PHI”) to patients or others. E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient. (See 45 CFR 164.522(b)). However, the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients . . . The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)) . . . Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C
Thus, to communicate e-PHI to patients via e-mail or text, the covered entity or business associate has two options:
1. Secure the Transmission. The covered entity or business associate may encrypt the e-PHI and/or use other appropriate means to ensure that the e-PHI is secure . . . (HHS Guide to Privacy and Security of Electronic Health Information at p.31, available at http://www.healthit.gov/providers-professionals/guide-privacy-and-security-electronic-healthinformation).
2. Warn the Patient. If the network or means of communication is not secure and/or the e-PHI is not encrypted, a covered entity or business associate may still communicate with patients via e-mail or text so long as they warn the patient in advance. In its Omnibus Rule commentary, the OCR confirmed: covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. . . . If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. E-mails and Texts from Patients. The foregoing rules apply to e-mails or texts by the covered entity or business associate to patients [emphasis added]; the same rules do not apply to e-mails or texts from [emphasis added] the patient. “The Security Rule … does not apply to the patient. A patient may send health information to you using email or texting that is not secure. That health information becomes protected by the HIPAA Rules when you receive it.” (OCR Guide at p.31).
Moreover, Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications. 133 29 (OCR FAQ, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html).
In the wake of the Omnibus Rule commentary quoted above, covered entities and business associates should warn patients of the security risks before responding via unsecure e-mail or text. E-mails and Texts to Other Providers, Employees or Third Parties. The HIPAA Privacy and Security Rules also apply to e-mails and texts to persons or entities other than patients. Unlike communications with patients, simply warning the third party that the communication may not be secure is not enough. \
Thus, although many providers do not think about it, they should generally not communicate e-PHI with their staff or other providers via unencrypted e-mail or text unless they have implemented appropriate safeguards consistent with Security Rule requirements. HHS recently posted the following FAQ for providers: Question: Can you use texting to communicate health information, even if it is to another provider or professional? Answer: It depends. Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages.
However, your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices . . .
Conclusion. HIPAA allows covered entities and their business associates to communicate e-PHI with patients via e-mails and texts if either (1) the e-mails and texts are encrypted and/or are otherwise secure; or (2) the covered entity or business associate first warns the patient that the communication is not secure and the patient elects to communicate via unsecure e-mail or text, anyway [emphasis added]. When it comes to communicating with non-patients, the covered entity or business associate must generally ensure that its e-mail or texts comply with relevant Privacy and Security Rule standards.
Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail [emphasis added]. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.
Created 12/15/08
Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013
HIPAA, E-mails, and Texts to Patients or Others
(Stanger, 2015) [selected excerpts/summary]
The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to implement certain safeguards when e-mailing or texting electronic protected health information (“e-PHI”) to patients or others. E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient. (See 45 CFR 164.522(b)). However, the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients . . . The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)) . . . Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C
Thus, to communicate e-PHI to patients via e-mail or text, the covered entity or business associate has two options:
1. Secure the Transmission. The covered entity or business associate may encrypt the e-PHI and/or use other appropriate means to ensure that the e-PHI is secure . . . (HHS Guide to Privacy and Security of Electronic Health Information at p.31, available at http://www.healthit.gov/providers-professionals/guide-privacy-and-security-electronic-healthinformation).
2. Warn the Patient. If the network or means of communication is not secure and/or the e-PHI is not encrypted, a covered entity or business associate may still communicate with patients via e-mail or text so long as they warn the patient in advance. In its Omnibus Rule commentary, the OCR confirmed: covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. . . . If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. E-mails and Texts from Patients. The foregoing rules apply to e-mails or texts by the covered entity or business associate to patients [emphasis added]; the same rules do not apply to e-mails or texts from [emphasis added] the patient. “The Security Rule … does not apply to the patient. A patient may send health information to you using email or texting that is not secure. That health information becomes protected by the HIPAA Rules when you receive it.” (OCR Guide at p.31).
Moreover, Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications. 133 29 (OCR FAQ, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html).
In the wake of the Omnibus Rule commentary quoted above, covered entities and business associates should warn patients of the security risks before responding via unsecure e-mail or text. E-mails and Texts to Other Providers, Employees or Third Parties. The HIPAA Privacy and Security Rules also apply to e-mails and texts to persons or entities other than patients. Unlike communications with patients, simply warning the third party that the communication may not be secure is not enough. \
Thus, although many providers do not think about it, they should generally not communicate e-PHI with their staff or other providers via unencrypted e-mail or text unless they have implemented appropriate safeguards consistent with Security Rule requirements. HHS recently posted the following FAQ for providers: Question: Can you use texting to communicate health information, even if it is to another provider or professional? Answer: It depends. Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages.
However, your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices . . .
Conclusion. HIPAA allows covered entities and their business associates to communicate e-PHI with patients via e-mails and texts if either (1) the e-mails and texts are encrypted and/or are otherwise secure; or (2) the covered entity or business associate first warns the patient that the communication is not secure and the patient elects to communicate via unsecure e-mail or text, anyway [emphasis added]. When it comes to communicating with non-patients, the covered entity or business associate must generally ensure that its e-mail or texts comply with relevant Privacy and Security Rule standards.