Risk Reduction Resources

Essential knowledge for success

Unsecured Email and Patient Communication

Using Email for Patient Communication

Unencrypted email with patients is not something Medical Mutual recommends. However, individuals under the Privacy Rule (45 C.F.R. § 164.522(b)) have the right to request communication by alternative means. H.H.S. states, “a health care provider should accommodate an individual’s request to receive appointment reminders via email, rather than on a postcard, if email is a reasonable, alternative means for that provider to communicate with the patient.”

Suggestions to Mitigate Risk

If a patient requests unsecured email as an option, you should still take certain precautions when using email to avoid unintentional disclosures.

  • Check the email address for accuracy before sending it. Do not rely on an auto-fill option.
  • Send an email alert to the patient for address confirmation before sending the message.
  • Try to limit the amount or type of information disclosed through the unencrypted email.
  • Inform the patient of possible risks of using unencrypted email, such as:
    • Emails can be intercepted during transmission.
    • Unencrypted messages (and any attachments) can be read, and potentially copied and forwarded, by anyone.
    • Unencrypted emails can be easily viewed by someone other than the recipient.
  • Ensure that your responses are professional and appropriate. Use plain language and avoid overfamiliarity.
  • Have a general inbox for email communication with patients to ensure a timely response.
  • Ensure all communication with patients through email is documented in the medical record.

Unsecured email should never be your default unless the patient specifically requests it. Medical Mutual recommends using a patient portal. See our tip Using Patient Portals to Promote Patient Communication for more information.

References:

HHS.gov: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? Accessed on 8/5/2020:

Larson, S. (June 2019). Legal Corner: Using unsecure email—The risks associated with using unencrypted emails to communicate with your patients. American Psychological Association. https://www.apaservices.org/practice/business/hipaa/using-unsecure-email

Medical Mutual Insurance Company of Maine's risk management resources are offered only as references for informational purposes. They are not intended to establish practice standards or take the place of medical judgment or legal advice. Medical Mutual recommends you consult with your medical staff leadership and a qualified attorney for any specific application to your practice. No risk management resource provided by Medical Mutual is intended to affect the applicability, scope, or limit of your liability insurance coverage or to otherwise amend or add to the terms and conditions stated expressly in the liability insurance policy issued to the identified policyholder for the applicable policy year.