Memo: use of email by healthcare providers to discuss health issues and treatment with patients

From Health and Human Services

“Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

“Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

Patient Consent

Communicating with a patient via email is subject to the patient’s consent to be communicated with through that channel. If appropriate procedures are in place regarding email collection, the act of the patient providing that email address to the provider can be considered tacit consent.

Patients may initiate communications with a provider using email. If this situation occurs, the health care provider can assume that email communications are acceptable to the individual, unless the patient has explicitly stated otherwise. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.

Taking email address from public lists or spam lists is never acceptable.

Electronic Communication

The HIPAA Privacy Rule does allow covered healthcare providers to communicate electronically, such as through email, with their patients. This assumes that reasonable safeguards are applied when doing so. (45 C.F.R. § 164.530(c))

Certain precautions must be taken when using email to avoid unintentional disclosures. Precautions such as ensuring the accuracy of an email address before sending or sending an email alert to the patient for address confirmation prior to sending the message that contains protected health information are important.

Further, while the Privacy Rule does not prohibit the use of unencrypted email for treatment-related communications between healthcare providers and patients, other safeguards should be applied to reasonably protect privacy. These safeguards might include limiting the amount or type of information disclosed through unencrypted email. These safeguards can be addressed through appropriately drafted policies and procedures.

Patient Portal

Always try to encourage patients to use the patient portal when possible. This should be considered the prefered method of communication between patient and provider.

Disclaimer

When communicating by email, it is a best-practice to include appropriate disclaimers. The best method for ensuring the inclusion is to incorporate the disclaimer as a footer below the signature line, thus guaranteeing that the disclaimer is included on every email.

Summary

Yes, email is an acceptable method of communication for healthcare providers, as long as the patient approves of using email for this purpose. Approval can be as simple as asking for the patient’s email address to use for sending forms. If the patient provides the address, this can be considered tacit consent. Always document these actions in policies and procedures.

Communication via the patient portal should be the preferred method of communication.

Warn the patient that email is an inherently insecure method of communication. Do this when the patient requests to be contacted through email and again in the initial email.

This article contains direct quotes and information from the United States Department of Health and Human Services.

“Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?”. United States Department of Health and Human Services. Retrieved September 6, 2018.