Unsecured Email and Patient Communication
Using Email for Patient Communication
Unencrypted email with patients is not something Medical Mutual recommends. However, individuals under the Privacy Rule (45 C.F.R. § 164.522(b)) have the right to request communication by alternative means. H.H.S. states, “a health care provider should accommodate an individual’s request to receive appointment reminders via email, rather than on a postcard, if email is a reasonable, alternative means for that provider to communicate with the patient.”
Suggestions to Mitigate Risk
If a patient requests unsecured email as an option, you should still take certain precautions when using email to avoid unintentional disclosures.
- Check the email address for accuracy before sending it. Do not rely on an auto-fill option.
- Send an email alert to the patient for address confirmation before sending the message.
- Try to limit the amount or type of information disclosed through the unencrypted email.
- Inform the patient of possible risks of using unencrypted email, such as:
- Emails can be intercepted during transmission.
- Unencrypted messages (and any attachments) can be read, and potentially copied and forwarded, by anyone.
- Unencrypted emails can be easily viewed by someone other than the recipient.
- Ensure that your responses are professional and appropriate. Use plain language and avoid overfamiliarity.
- Have a general inbox for email communication with patients to ensure a timely response.
- Ensure all communication with patients through email is documented in the medical record.
Unsecured email should never be your default unless the patient specifically requests it. Medical Mutual recommends using a patient portal. See our tip Using Patient Portals to Promote Patient Communication for more information.
HHS.gov: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? Accessed on 8/5/2020: https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html
Larson, S. (June 2019). Legal Corner: Using unsecure email—The risks associated with using unencrypted emails to communicate with your patients. American Psychological Association. https://www.apaservices.org/practice/business/hipaa/using-unsecure-email
Medical Mutual Insurance Company of Maine's "Practice Tips" are offered as reference information only and are not intended to establish practice standards or serve as legal advice. MMIC recommends you obtain a legal opinion from a qualified attorney for any specific application to your practice.