The HIPAA Privacy Rule permits healthcare providers to use e-mail to discuss health issues and treatment with their patients, provided they apply reasonable safeguards when doing so. These precautions are intended to prevent unintentional disclosures of ePHI and may include:
- Double and triple-checking the e-mail address to ensure accuracy before sending
- Sending an e-mail to the patient to confirm the address prior to sending any e-mail with ePHI
- Limiting the type or amount of information disclosed through e-mail, including ePHI
- Encrypting the e-mail prior to sending
- Alerting the patient to the relative risks of using unencrypted e-mail to communicate sensitive information, such as the potential for interception by a third party; having the e-mail read by a person with whom the patient has shared their e-mail login and password; accessing private e-mail on a public computer, such as in a library or on a shared computer at work
The HIPAA Security Rule can also apply when e-mailing with patients. For example, out of the Standards described above, Access Control, Integrity, and Transmission Security can be applied to ensure the security of ePHI when transmitted via e-mail. Each of these Standards ensures that the information contained within the e-mail is adequately protected.
Some companies offer what they call “HIPAA-Compliant E-mail” services. In general, these products purport HIPAA Security because they a) encrypt the e-mails and b) send the e-mail through a secure channel according to the Standards. Often, these companies cite “AES-256 bit encryption” which is aligned with HIPAA’s Access Control Standard (described above). This level of encryption is generally considered sufficient for HIPAA compliance.
Most of the above suggestions on e-mailing with patients also apply to text messaging (SMS), where applicable. It should be noted that, while a text message cannot be encrypted, there are third party vendors that offer so-called “HIPAA-compliant” text messaging services, which address the Person or Entity Authentication and the Transmission Security standards of the Security Rule.