Q&A: Contacting patients via unencrypted email

Q: What type of information can be sent to patients via unencrypted email?

A: If the email contains PHI, even if it includes only the patient’s name and email address, it needs to be encrypted. These days, OCR enforces the encryption provisions in the HIPAA Security Rule as it is required. This was announced by the department in the preamble to the HIPAA CLIA Rule that was published in February 2014, and OCR has been hammering home the message ever since.

That said, there is one exception. If a patient insists on using unencrypted email for his or her PHI, you may provide a disclaimer letting the patient know the risks associated with sending PHI unencrypted. It is important to ask the patient to sign a disclaimer that will protect your organization in the event of a breach. You don’t want to face liability if the patient’s data is breached, if OCR investigates the breach, and/or the patient decides to file a lawsuit claiming you didn’t communicate the risks. Good documentation will go a long way to reducing your potential liability.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.