Q: A patient has requested that I communicate with them and send protected health information (PHI) through email. Can I use unsecure email to communicate with a patient?
A: Yes, you can use unsecure emails, but there are some risks involved.
The Health Insurance Portability and Accountability Act (PDF, 100KB) does not prohibit using email to send a patient his or her PHI. Nor does it require you to use encrypted email. A patient and a psychologist can communicate via unsecured and unencrypted email, or other methods, as long as the patient has been fully informed of and has accepted the risks associated with using such unsecured communication.
If you choose to communicate with your patients via unsecured email, be sure to:
- Explain the risks. Inform your patients that emails can be intercepted during transmission, and that unencrypted messages (and any attachments) can be read, and potentially copied and forwarded, by anyone. Unencrypted emails can also be easily viewed by someone other than the recipient if, for example, the patient accesses their messages via a smart phone or tablet. Discuss these potential risks and document your patients’ agreement to communicate using an unsecured email platform.
- Manage your email protocols to protect patients’ PHI. If you used unsecured email, consider limiting email communications to administrative matters, such as appointment reminders or preappointment paperwork. Eliminate full names from your emails. When replying to an email sent by the patient, do not include the original message in your response. Also, double check the email address of the intended recipient to ensure it is going to the correct person. For example, don’t rely on the “auto-fill” function when typing a name or email address into a new message draft. Make sure the message is going to Jane Doe, not Joseph Doe.
- Consider encryption. Although HIPAA does not mandate that you use encrypted emails with patients, encryption is best defense against a data breach. Encrypting your email provides an extra level of security. Encrypted messages are not readable without the appropriate password (or key), which is a unique code provided to the intended recipient. Encryption also provides protection in the event an email is accidentally sent to the wrong person or there is a breach or attempted hacking of your email account. If you want to use encryption, look for an email provider that offers end-to-end encryption as well as one that will sign a business associate agreement (PDF, 282KB). There is generally a cost associated with encrypted email products; however, the most expensive may not necessarily be the best product for your practice.
The HIPAA level encryption email providers that continue to get positive reviews from users are (in no specific order): Aspida Mail, Hushmail for Healthcare, Microsoft Office 360, PauBox and Virtue. APA does not endorse products. You should do your own research and determine the product that best suits your practice’s needs.
While APA recommends that practitioners encrypt their emails, your patients are not required to do the same. Your patients can send you unencrypted emails and you incur no liability. You are required, however, to comply with HIPAA and state recordkeeping and patient privacy/confidentiality laws when storing the personal information and PHI contained in those emails.
- Document your decisions. HIPAA requires all health-care providers to evaluate and document their responsibilities and decision-making process (PDF, 3.63MB) when using technology, including email, in their practices. If you choose to skip encryption, document your decisions to show that you considered the risks and alternatives to using unsecured emails; explain why you decided not to use encrypted email; and detail how you have implemented other policies to protect patients’ PHI. Your patients can waive the use of encrypted email, but they need to be informed of, and then accept, the potential risks of doing so, and you need to document their decisions.