Email is one of the most common tools used on the Internet today. We use it to send pictures to friends and family, send documents to customers or businesses, and everything in between. Because email is so prevalent and easy to use, it is understandable to forget the rules surrounding sending protected health information via email.

But before we dig into that, let’s do a brief primer on how email works.

Email Primer

When you use an email client, like Outlook, the client will take the message you created and send it to your company’s email server. This server will look at the address of the recipient and forward the message to their server. Along this path, the email message will pass through many routers and other internet devices until it finally reaches the email server of your recipient. From there, the recipient will use their own email client to download the message. Along this path, any device or server can read the contents of the email message. This includes the message itself, any attachments, etc. We often think of email as a letter with the protection that an envelope provides. But email is actually more like a postcard because anyone can read a postcard just like anyone can read email messages.

So now that you have a basic understanding of how email works, let’s move this into PHI protection rules under HIPAA. When you are sending an email with PHI to a patient, it isn’t private at all. Because any device along the path to the patient could copy and review the PHI in the email, this is a violation. To put this in plain terms: you cannot send any PHI to anyone via email without taking security precautions. Period, full stop, end of story.

Protecting email containing PHI

To even be able to send any email to a patient, you first need to ensure that you have written authorization from the patient indicating they are willing to accept emails from your practice. This needs to be added to their chart.

To be able to send PHI to a patient, you must use encryption for the email. This is mandatory to be able to send PHI using any type of email. Encryption will prevent anyone along the path the message takes from being about to read the message or its attachments. By default, most email is not encrypted. This feature is usually an addon that must be enabled and configured. If your practice doesn’t have this feature, please do not use email to communicate with patients. If you do have this enabled, then you can securely share PHI with patients via email.

there are many ways to achieve this but the most common is via a portal. The portal will send an email to the patient and ask them to verify their identity to view the encrypted message. This works with any type of email service the patient may have.

So, to summarize: make sure you have written authorization from the patient before sending any email messages, and then make sure you only use encrypted messaging systems to send those emails.