Communicating with patients is an important part of your practice but you must make sure you follow HIPAA guidelines. 

When we talk about communication through email, it basically falls into 3 categories: 

  1. FROM the patient
  2. TO the patient
  3. To a Third Party (anyone else other than the patient) 

For communications From the patient, the HIPAA Privacy and Security Rules do NOT apply. However as soon as the provider receives the email, the information now must be protected by the provider.

For communications To the patient, the HIPAA Security Rule standards require “certain procedures to restrict access, protect the integrity of and guard against unauthorized access to PHI.” www.hhs.gov/ocr/privacy/hipaa/faq/securityrule. HHS defines “certain procedures” as “reasonable precautions… equivalent to encryption”

The best way to do this is through a secure email system. Examples include:

You can also communicate to the patient through non-secure email BUT you are required to inform the patient:

  • The communication may not be secure, and
  • The potential consequences of that, and 
  • The patient must confirm they understand the risks and confirm they wish to continue 

The rule does not state how the patient can confirm they understand this, but anything less than written authorization is NOT recommended.  https://www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers 

For communications to a third party, there is no exception to the encryption criteria and no expressed authority for the patient to “waive” these security measures. Communications to a third party includes everyone else – things like emailing orders for glasses, orders for contacts, consults, referral letters, reports, etc. For these communications you must use only secured, encrypted email or a secured patient portal system. 

Making sure that you protect your patient’s private data and you will protect yourself from fines and penalties too.