Provided by:  Jennifer Kirschenbaum, Esq.
March 16, 2017


Hi Jen,

Can I communicate with patients via email and if so what privacy steps must I put in place to comply with HIPAA?

Dr. V


Michael Foster, Esq. of K&K's healthcare department has provided today's response -

The short answer is yes. HIPAA’s Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. HIPAA does not prohibit the use of unencrypted e-mail (gmail, yahoo mail) for treatment-related communications however; other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.  Also you must have patient consent to communicate via email.   You can ensure your patients are providing proper consent for uses and disclosures with a proper consent form.  A proper consent form would:  (i) be in writing; (ii) have the patient provide the email address; (iii) have Patient indicate what content you can disseminate by email; and (iv) incorporate right to rescind by Patient as required by HIPAA.  The HiTECH Act, HIPAA, requires each entity with ePHI to have a Security Policy

HHS also recommends covered health care providers employ an Encryption system to communicate with patients. Encryption is “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304.  Health data encryption is when a covered entity converts the original form of the information into encoded text. Essentially, the health data is then unreadable unless an individual has the necessary key or code to decrypt it. According to HHS covered entities can determine whether the addressable implementation specification is reasonable and appropriate for that covered entity.  If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.

Additional guidelines on Encryption can be found below on HHS’s website.