Generally, sending an email to patients is not a HIPAA violation provided the reason for sending an email containing PHI is permitted by the HIPAA Privacy Rule and provided the email service used for sending an email containing PHI to patients supports HIPAA compliance. However, there are occasions when exceptions exist and when state opt-in laws preempt HIPAA.
There are many reasons why a HIPAA covered entity may send emails containing Protected Health Information (PHI) to patients. These include for healthcare and payment purposes, to obtain consent or request an authorization for an otherwise impermissible disclosure, or in response to patients who have exercised their HIPAA rights to request a copy of their PHI or an accounting of disclosures.
Practically the only times when sending an email to patients is a HIPAA privacy violation is when patients are sent non-exempted marketing communications, or when sending an email to patients violates one of the exceptions to patients’ access rights under §164.524 of the HIPAA Privacy Rule. Naturally, if emails are mis-addressed and sent to the wrong patients, this is also a HIPAA privacy violation.
HIPAA Security Rule Requirements for Email
The Security Rule requirements for HIPAA-compliant email vary depending on whether HIPAA covered entities host their own email systems or subscribe to a third party’s email service. In the former instance, covered entities are responsible for complying with all applicable Administrative, Physical, and Technical Safeguards in accordance with the Security Rule’s General Requirements (§164.306(a)).
In the latter instance, covered entities share responsibility for complying with the HIPAA Security Rule Safeguards with the third party service provider, who must also enter into a Business Associate Agreement to safeguard the confidentiality, integrity, and availability of PHI in their possession. The third party service provider should also be responsible for the secure transmission of PHI in emails.
In most cases, both parties are individually responsible for complying with some HIPAA Security Rule requirements for email. For example, both parties must assign unique user IDs to workforce members with access to PHI, activate automatic log-off capabilities on all devices with access to PHI, and provide all members of the workforce with HIPAA security awareness training regardless of their access to PHI.
When Exceptions and State Laws Apply
HHS guidance notes that “the HIPAA Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients”; and, with regards to consent, the guidance states “health care providers can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual”.
If the patient has explicitly stated otherwise, or has requested confidential communications via a channel other than email (see §164.522(b)), sending an email to patients containing PHI would be a HIPAA violation. It would also be a HIPAA violation to send an email containing PHI to the personal representative of a patient without the consent of the patient under §164.510(b) of the HIPAA Privacy Rule.
It is also important to be aware that multiple states have adopted privacy laws that require affirmative opt-ins rather than assumed consent before sending an email to patients. Not every state applies their privacy laws to provider-patient communications, but it is recommended that healthcare organizations seek advice from an attorney before engaging in any communication activity that may violate a state privacy law.