Let’s face it—the Health Insurance Portability and Accountability Act (HIPAA) isn’t the easiest piece of legislature for medical providers to wrap their heads around. Not only is it incredibly dense, but the act itself doesn’t always provide the clearest standards on how to achieve compliance (and thus avoid costly HIPAA violations). This is why we’ve attempted to cover a lot of the HIPAA bases in previously drafted blog posts and guides.
However, given its complexity, we continue to receive our fair share of questions about HIPAA—two of which occur at a considerably higher frequency:
- Can I email a patient?
- Can I respond to a patient email?
So, let’s dig in!
Can you email a patient?
By all means, yes. HIPAA rules and regulations do not prohibit a healthcare provider from emailing a patient as long as reasonable administrative, technical, and physical safeguards are in place and being used correctly. What exactly does this mean? Let me explain.
Email Best Practices
The best practice for emailing a patient where protected health information (PHI) is involved is to:
- Obtain consent from the patient; and
- Use an encryption solution to email the information.
To the first point, patient consent can be acquired during patient intake. This can be as simple as having one or two sentence(s) on your clinic’s intake form where the patient states that email communication is an acceptable form of communication. If the patient chooses other alternative means for communication (e.g., text or telephone), then the patient’s preferences should be honored.
Another option is to state in the consent signed by the patient that any email communications (from a provider or any other individual) is at the risk of being compromised and that the patient understands and accepts these risks. This approach would be like a prenuptial—the patient accepts the risks!
To the second point, encryption solutions are available through a number of sources. If encryption is not available, you may still email a patient as long as other reasonable administrative, physical and technical safeguards are utilized. The Office of Civil Rights (“OCR”) states that these safeguards may include, “…checking the email address before sending, or sending an email alert for address confirmation prior to sending the message.”
In addition to implementing these safeguards when encryption isn’t an option, you should also limit disclosing any PHI in the email.
Can I respond to a patient email?
The answer to this is another resounding “yes!” If a patient emails a provider, then the patient has implicitly consented to the use of email communications, unless they state otherwise. The best practice though is to limit the PHI shared in the email and to warn the patient of communicating any PHI of their own via email.
The OCR guidance states that, “[i]f the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”
With that, I’m happy to announce that the case of “to email or not to email” is closed. As long as you properly use the reasonable administrative, technical, and physical safeguards outlined above, you have no reason to fear the wrath of HIPAA.
For any other questions about HIPAA compliance as it pertains to emailing patients, please drop them below and I will do my best to answer them.