Can You Send Patient Information Via Email

The Option From Your It Company

Patient Portal รข How to Send a Direct Message to Your Provider?

If you work with an IT company, they might be giving you a HIPAA email encryption add-on. It might even be free.

Companies with names like Proofpoint, Mimecast, and Reflexion primarily focus on email security. More specifically, they protect you from phishing attacks, viruses, and ransomware emails.

All of these companies are excellent at keeping your email safe , but they’re not that great at SENDING secure emails.

Here’s how most of them work:

When you want to send someone a secure email, you’ll use a keyword in your subject line. That’s the signal to the system to encrypt the email.

Heres an example in Gmail, though it looks the same in whatever email service you use. In fact, you can even do this on your mobile phone!

After sending it, youll get a nice confirmation back:When your recipient gets the email, it will look like this:

The recipient clicks on the View Encrypted Email button.

Sounds easy, right?

Well, not so fast. Your patient still needs to sign up for a username and password. Patients can find this confusing.

After they log in, they will see the secure email you sent. They can also respond to it.

This one was near the top of our list, but when we tried it with medical practices, we had too many people complain about having to remember usernames and passwords. It can work for a really small practice that almost never sends sensitive data over email, but what if you forget to type in “secure”? It’s too easy to make a mistake.

The Shortcomings Of Sms And Email

The primary text messaging functionality available on all mobile phones and email communication is not technically HIPAA compliant. This is due to the fact that 1) SMS/email lacks access controls as a patient does not need to enter a password before they read a text message or email, or at least the healthcare provider cant ensure this. 2) SMS/email lacks audit controls, which are necessary to record when Protected Health Information is created, modified, accessed, shared, or deleted. And 3) SMS/email lacks the necessary encryption standards as standard SMS/email functionality does not prevent the interception of text messages or the extraction of text messages from the mobile carrier and/or email providers servers.

What Are The Rules For Emails And Texting With Health Information

HIPAA allows covered entities and their business associates to communicate e-PHI with patients via e-mails and texts if either the e-mails and texts are encrypted and/or are otherwise secure or the covered entity or business associate first warns the patient that the communication is not secure and the patient

Read Also: Remove Duplicate Emails Outlook 2013

Who Is Not Included In The Hipaa Exception

The HIPAA Exception does not apply to providers that provide faxing or emailing services to transmit or transport medical information. It also excludes organizations or businesses that store electronic PHI .

Such entities are considered business associates , and they must sign a BAA. BAs might include cloud hosting companies and fax, email, or SMS providers.

If you are working with an entity that provides these services and they will not sign a BAA, you should be very careful. Some will add CE protections like disabling automatic forwarding of emails and disabling SMS texting.

While this absolves them from having to sign a BAA, your organization could still be at risk of noncompliance.

How To Send Hipaa Compliant Text Messages


Covered entities can implement mobile applications to send HIPAA compliant text messages, which arent exactly SMS-based messages. Still, it achieves the objective of sending a message to a mobile device. A HIPAA compliant messaging app provides a private cloud, secure encrypted network with access controls and audit controls to satisfy the HIPAA requirements. Convenient control panels allow covered entities to offer role-based authorization and apply messaging policies. HIPAA text messaging solutions dont typically store messages on the device, so theres a limited risk of unauthorized access. Apps installed on mobile devices require passwords to gain access, often access for both the device and the app, which means extra security.

That being said, most healthcare providers send SMS messages to patients with limited PHI in them. SMS is considered a low-medium risk, in comparison to email, so its unlikely a healthcare provider would experience any problems by relying on SMS messaging as their primary communication method, so long as the right precautions are in place . SMS is extremely effective and the preferred communication method for patients, so it makes sense to develop a HIPAA-compliant policy for sending SMS messages.

Recommended Reading: Where Do I Find My Icloud Email

What Do The Hipaa Regulations For Email Actually Say

According to the US Department of Health and Human Services website, the Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

At first glance, it would appear that sending ePHI by email is acceptable provided that the sender and the recipient have the same encryption software , but it has to be considered that emails are copied onto routing servers while in transit, and there is no means of deleting them remotely should an unauthorized party with the same encryption software gain access to them.

Therefore, although the HIPAA regulations for email do not ban sending ePHI by email, theres still an issue of how to send emails and remain HIPAA compliant. Furthermore, although the new legislation considered the sending of ePHI by email an addressable regulation, it was not intended to be an optional consideration rather one which had to be complied with if organizations were to avoid severe financial penalties from a breach of ePHI.

Are Your Emails Hipaa Compliant Heres How To Be Sure

Email is becoming one of the more popular ways for patients to communicate with healthcare providers.

In fact, healthcare emails in general have one of the highest email open rates among any industry.

But the rise of email as a primary form of communication presents challenges for healthcare providers in terms of protecting sensitive patient data when delivered electronically.

Not only do providers have to worry about oversharing patient information when they write and receive emails, they also have to consider how things like email security and encryption might impact the sharing of sensitive patient information.

Thankfully, HIPAA has some specific guidelines for managing electronic communications, though it still falls on every practitioner to put these guidelines into practice.

Heres what to know about HIPAA and email.

Free Download: HIPAA Email Compliance Cheat SheetClick Here

You May Like: How To Recover Permanently Deleted Emails From Aol

Ensure Phi Is Not Improperly Changed Or Destroyed During Texting

Maintaining the integrity of sensitive health information is important, which is why HIPAA states that PHI must not be altered or destroyed in an unauthorized manner. If patient information is accidentally or intentionally changed by human error or an information system failure, the integrity of the data is compromised.

The HIPAA Security Rule requires covered entities to establish safeguards to ensure the integrity of PHI through security processes or functions. In regards to secure HIPAA compliant texting, there must be technical safeguards in place to verify that data integrity is not at risk of being compromised when its distributed via secure messaging.

Your Guide To Staying Hipaa Compliant When Emailing Patients

Patient Reminders | Send reminders via Text, Voice and Email in either english or spanish

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patients privacy.

In general, email communication is not secure for two reasons:

  • The data isnt encrypted by default.
  • Its impossible to tell if the receiver is the intended recipient.
  • Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher that both sender and recipient know. Anyone without the cipher will only see gibberish.

    Furthermore, theres never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

    Nevertheless, modern patients expect instant communication, so you cant avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

    Heres how to stay compliant with your electronic communications.

    Don’t Miss: How To Recover An Old Email Account From Google

    Develop An Office Policy

    Its important to have a clearly defined policy for your staff or colleagues regarding protected health information . A casual discussion isnt enough. You need procedures.

    In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI to in-person meetings only.

    Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

    Make sure your emails are compliant by using our checklist. Subscribe to download this resource.Click Here

    Communication Skills Using Email

    There is very little published guidance to help healthcare professionals develop skills in using email to communicate with patients. As previously mentioned, NHS Direct and the many charitable organisations that offer a helpline service also now have an email service. The Telephone Helplines Association, which sets standards for good helpline practice, has also published directions for organisations using email and text services, although this is not specific to a healthcare setting .

    While the tone and style of the email may vary depending on its purpose , there are some style and language considerations that remain consistent. It is important to use language that is easy to understand and does not contain inappropriate medical jargon, abbreviations or acronyms that the recipient may not be aware of . Since it can be difficult to read from a computer screen, it may also be helpful to keep sentences and paragraphs as short as possible.

    Recommended Reading: Unarchive Email Outlook

    How Can Central Data Storage Help You

    At Central Data Storage , downloading and completing our free HIPAA Compliance Checklist can give you total peace of mind in ensuring you are entirely HIPAA compliant while sending medical records via email. By following our simple step-by-step guide, you will be able to analyse your file transfers to make sure you are meeting all necessary requirements.

    In addition, our Encrypted Sharing solution provides secure messaging and file sharing for your business. Simple, real-time HIPAA compliant messaging and document sharing.

    Hipaa Violation Email Example

    Walgreens App Review: a Pharmacy in your Phone

    A HIPAA compliant email meets the standards for sending patient data via electronic channels. Practitioners must ensure that emails containing patient records meet regulatory standards to avoid violations and penalties. The following HIPAA violation email examples will help you steer away from some common pitfalls.

    Read Also: How To Recover An Old Email Account From Google

    Advantages And Disadvantages Of Using Email

    One of the main advantages of using email is the convenience it offers for both patients and practitioners. Emails can be written at any time of the day or night, potentially making it easier for those whose circumstances might make it difficult for them to consult with healthcare professionals during working hours. Those responding to the email can also do so in their own time, giving them space to research any difficult questions or consult with colleagues. However, because there will always be an element of time delay between sending an email and receiving a reply, this is not an appropriate way of dealing with any queries that are urgent or an emergency.

    Email can be used by those living in remote communities or by those with a disability that may make attending face-to-face appointments difficult. It therefore has the possibility to increase access to healthcare for certain groups, although it has been noted that internet use is more common in younger people who may be wealthier. Delivering healthcare in this way may therefore widen certain social inequalities . However, if other methods of reaching practitioners remain accessible, then providing the option of email purely increases patient choice.

    When seeking information about a particular condition or health-related matter, many patients will now turn to the internet. While this can be both informative and empowering, the internet is a largely unregulated resource that has the potential to mislead people.

    You Dont Have Patient Consent

    The U.S. Department of Health and Human Services has given explicit guidance, on several occasions, that patients and providers can use unencrypted email for protected health information , so long as the patient is aware of the security risks and still prefers email over other communication options.

    The flip side of this guidance is that a failure to meet any of its stated criteria implies an immediate HIPAA violation. So ask yourself, for every patient youre emailing:

  • Is this patient aware of the security risks of email?
  • Have we discussed other communication options with better security?
  • Have they stated a preference for email despite the risks and availability of other options?
  • Have I documented that preference/consent somewhere?
  • Patient preference is a powerful tool for HIPAA compliance, but that also means that its absence is a powerful liability. Dont skip this easy compliance step.

    Don’t Miss: How To Unarchive An Email In Outlook

    Using In The Subject Line If Sending An Email From One Nhsmail Address To Another

    When sending email from NHSmail to another secure service you do not need to take any action.

    You will know if you have an NHSmail email address because it will end in

    Please note that systems who have not met the accreditation standards are not considered secure.

    This table is a summary of email addresses that are known/not known to be secure:

    Recipient email address ends
    Use in the subject line

    Do You Know The Rules When It Comes To Emailing Phi

    Send emails from a HTML Contact Form

    Email is convenient, especially in a busy healthcare environment. But, keeping email secure is tricky.

    Email is one of the topics Im asked about most frequently. Due to the nature of email and the difficulty with properly securing it, I recommend avoiding it whenever possible. The use of patient portals is preferred for sending information to patients, and secure file transfer options, that incorporate strong encryption, are preferred for covered-entity-to-covered-entity or covered-entity-to-business-associate communications.

    For those who cant find an alternative to email, this post is intended to help you understand whats required of you when sending electronically protected health information .

    Read Also: How To Find My Icloud Email

    Popular Articles

    Related Stories

    Stay on top - Get the daily news in your inbox