Are patients obligated to send HIPAA compliant emails?

Patients are not responsible for ensuring HIPAA compliance in their communications; this responsibility falls on healthcare providers and their business associates. When patients initiate email communications with healthcare providers, HIPAA allows providers to continue the conversation via email, even if the channel is insecure. However, providers should inform patients about the risks of using unsecured email and offer alternative secure methods if available.

What HIPAA says about secure communication

According to a Journal of Oncology Practice IT Help Desk, “While the HIPAA Security Rule does not require the formal digital encryption of e-mail, a practice not utilizing some form of security must justify its choices. Therefore, in most settings, the use of conventional, unencrypted e-mail would not be considered HIPAA-compliant.” HIPAA mandates secure communication practices to protect patients' protected health information (PHI) through two primary rules: the Privacy Rule and the Security Rule. 

Under the Privacy Rule, healthcare organizations have to use safeguards to prevent unauthorized disclosure of PHI during oral, written, or electronic communications. The Security Rule focuses specifically on electronic protected health information (ePHI), outlining technical, administrative, and physical safeguards. The most relevant sections include:

• Access controls: Requires unique user identification, emergency access procedures, and automatic logoff for systems handling ePHI.
• Audit controls: Mandates monitoring ePHI access to detect unauthorized activity.
• Transmission security: Requires encryption of ePHI in transit and integrity checks to prevent unauthorized alteration.
• Administrative safeguards: Includes risk analysis, workforce training, and contingency planning for communication systems.

The HIPAA Security Rule updates, proposed in January 2025, expand requirements for secure communication:

• Mandatory encryption: Previously an "addressable" specification under § 164.312(e), encryption for ePHI at rest and in transit becomes mandatory, closing gaps in legacy systems.
• Asset inventories and network mapping: Organizations must maintain detailed inventories of IT assets and track ePHI movement across networks.
• Improved incident response: Written incident response plans must ensure systems are restored within 72 hours of a breach, formalizing contingency planning under § 164.308(a)(7).
• Regular security testing: Annual penetration testing and biannual vulnerability scans are now required.
  
  

What makes an email HIPAA compliant

To determine what makes an email HIPAA compliant, it's necessary to consider the core principles of the HIPAA Security Rule. HIPAA compliance for emails primarily applies to covered entities and their business associates when they create, receive, store, or transmit ePHI via email. The components of HIPAA-compliant emails include encryption, secure transmission, and access controls.

Encryption as a requirement for HIPAA compliance

Emails containing ePHI must be encrypted both in transit and at rest to prevent unauthorized access. This means using methods like Transport Layer Security (TLS) or Secure/Multipurpose Internet Mail Extensions (S/MIME) to ensure that the content of the email, including attachments, is protected from interception or unauthorized viewing. 

An example of a lack of encryption can be seen in the Solara Medical Supplies data breach. In 2019, Solara Medical Supplies experienced a phishing attack that compromised the email accounts of eight employees, exposing the PHI of 114,007 individuals. The OCR investigation found multiple HIPAA violations, including the failure to conduct a HIPAA-compliant risk analysis and manage risks effectively.

Secure transmission for data integrity

Secure transmission involves ensuring that emails are sent through channels that maintain the integrity of the data. This often means using secure email services that automatically encrypt emails by default, eliminating the need for manual intervention by the sender. 

Access controls as a necessary part of HIPAA compliance 

Access controls make sure that only authorized individuals can access the email content. This can be achieved through implementing strict policies for who can send and receive sensitive information. Having a business associate agreement (BAA) with email service providers is necessary to ensure they comply with HIPAA when handling PHI. There are two prominent instances of this. 

Firstly, in 2018, Providence Medical Institute faced a ransomware attack affecting the PHI of 85,000 individuals. The OCR investigation brought to attention potential violations of the HIPAA Security Rule, including inadequate access controls and a lack of a BAA.

In 2024, Gulf Coast Pain Consultants was fined $1.19 million by OCR for violating several HIPAA Security Rule provisions. The violations included failing to implement termination procedures to remove access to PHI when employment ended and not regularly reviewing information system activity containing PHI.

When do patients need to consider HIPAA compliance

While patients are not responsible for ensuring HIPAA compliance, being informed about their rights and the implications of different communication methods can help them protect their health information and ensure that their privacy is respected.

When patients initiate email communications with healthcare providers, they should be aware that providers are allowed to respond via email, even if the channel is not secure, as long as they have informed the patient about the risks. Patients can request alternative communication methods if they prefer more secure options, such as using patient portals or secure messaging systems. 

When patients request restrictions on how their PHI is used or disclosed, they are exercising their rights under 45 CFR §164.522(a)(1). While providers are not required to agree to these restrictions, except in specific circumstances, patients should be aware of their rights and the potential implications of such requests on their care.

How to ensure patients remain fully informed when it comes to HIPAA compliance 

• Healthcare organizations must prioritize open and honest communication about their data transmission practices. This includes explaining the methods used to protect patient data, like the use of HIPAA compliant email. 
• Organizations should educate patients on secure communication and how it protects their PHI.
• Healthcare providers should maintain clear documentation about their data transmission practices, including any risks associated with different communication methods. Patients should be informed about these practices and have access to policies regarding data privacy and security.
• Patient-centered care encourages shared decision-making. Engaging patients in decision-making processes related to their health information is needed. 
• Patients should receive regular updates about changes in communication practices or security measures. This includes notifications about how their data is being used and transmitted. 
  
  

Leaving communication options up to the patients 

Patients have diverse needs and comfort levels with technology, so offering a range of communication methods ensures that they can engage with their healthcare providers in a way that feels secure and accessible to them. An Environmental Research and Public Health study notes, “In particular, some authors highlighted that promoting shared decision-making and defining shared goals between healthcare professionals and patients improved adherence to healthy behaviors and outcomes,”

However, while patients should be empowered to choose their preferred communication channels, they should also be aware that using HIPAA compliant email platforms like Paubox provides the best protection for their sensitive health information. While patients may prefer traditional email for convenience, they should understand that standard email services often lack the security measures necessary to safeguard PHI. 

Healthcare providers should actively inform patients about the benefits of using secure communication channels. This helps patients make informed decisions about their communication preferences and ensures that providers are meeting their obligations under HIPAA to protect patient data.

FAQs

How should providers communicate with patients who have limited English proficiency?

Healthcare providers must ensure that patients with limited English proficiency have access to language services such as interpreters or translated documents to facilitate effective communication.

Can healthcare organizations share a patient's health information with their family or friends?

Yes, they can share a patient's health information with family or friends if the patient agrees, does not object when given the opportunity, or if they use professional judgment to determine they do not object.

What accommodations must be provided for patients with communication disabilities?

Providers must provide communication accommodations for patients with disabilities, such as sign language interpreters or Braille materials, to ensure equal access to care.

How should providers document patient consent for communication with others?

While HIPAA does not require documentation of patient consent for sharing health information with family or friends, it is advisable to document consent in the patient's medical file if desired.