Ryan McGinty
Ryan McGinty

Unencrypted email and HIPAA

There is a multitude of misinformation concerning communication of PHI with a patient via unencrypted email. Before I go any further, I must disclose: I am not a lawyer. As with all advice related to HIPAA, you should verify your policies and processes with an attorney that understands HIPAA.

What is unencrypted email?

You may or may not realize that the email you likely use on an everyday basis is in absolutely no way secure. The text you type in your email, and any attachments you send with it, can be detected, captured, and viewed by anyone with access to any of the networks involved in the email delivery process. For instance, if you send an email from your office to a patient, here are the networks involved:

  • Your office’s local network
  • Your internet service provider (ISP)
  • Your mail server provider
  • The recipient’s mail server provider
  • The recipient’s ISP
  • The recipient’s local network

As you can see, there is a lot involved when it comes to getting your email from point A to point B. So how easy is it to capture an email? Extremely easy. An individual only needs access to one of the above networks and one of many easy-to-acquire programs that do all the work. For example, any employee inside your office could simply download one of these programs, run it, and get a full list of all emails sent by anyone on the network, complete with the entire contents of each email. It really is that simple.

This inherent insecurity of email is why you should never, ever include important private information in any email (not just those to patients). Social security numbers, bank account information, and credit card numbers are all good examples of things that have no place in unencrypted email.

What does HIPAA say?

What email lacks in security, it makes up for in convenience and proliferation. Most patients have access to email and many prefer it as their communication preference. Thankfully, CMS acknowledges this conundrum and has commented specifically on this situation. Basically, as long as you warn the patient that email communication is not secure and the patient acknowledges, you are free to communicate with the patient via email without fear of the consequences of a PHI breach. Patient acknowledgment can be a simple email waiver form that the patient signs.

What if the patient emails you first?

According to HIPAA, if the patient initiates communication via email “the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.” While this seems clear cut, they go on to say that, if the provider feels the patient doesn’t understand the risks of unencrypted email, they should communicate that to the patient. So, it sounds like it is always a good idea to get an email waiver from patients you plan to communicate with.

What about emails to third parties?

Just because a patient gives you permission to communicate with him/her via email, it does not give permission to exchange information with other parties over an non-secure medium. If you are consulting with a colleague via email, never include the patient’s name or other identifiable information. If this PHI is pertinent to care, make sure to use another medium that is secure instead. This also goes for communication with other entities including insurance companies and even your software vendor. We always tell our customers to only send the unique patient ID, not the patient’s name or demographics.

The best security is awareness

Understanding the degree of security different technologies provide has become a requirement in modern healthcare. The best policy for email communication with patients, or anyone else for that matter, is to assume that someone else might be reading it.