In this age of technology, it makes sense that an increasing amount of communication is occurring over the internet, through email. In the healthcare industry, more providers are either choosing to or considering corresponding with their patients through email. While this preference is becoming increasingly popular, healthcare professionals should be reminded that the Internet and email are not secure, and, as stated by the Office of Civil Rights (OCR) of the Department of Health and Human Services on their HIPAA FAQ page, precautions need to be taken to remain HIPAA compliant.

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

So, what extra steps should you be taking when communicating with patients via email to help prevent their protected data from ending up in the wrong hands? Below are a few strategies that you can implement in efforts to remain HIPAA complaint through email correspondence.

  1. Inform your patients.

    Many patients may choose to email your office with any questions they may have, without even considering the fact that their information could be easily intercepted by someone else, simply because they may not know. You can easily educate them by posting visible notices in your office, as well as on your website, informing them of the security risks communicating and sharing protected health information (PHI) via email pose. The notice can be as simple as this:

Please keep in mind that corresponding via email over the internet is not a secure practice. There is a possibility that the information included in the email can be intercepted and read by another party who is not the intended recipient.”


  1. Get permission from patients to receive communication via email.

    If you are going to communicate via email to a patient, it is important that you have consent from the patient to do so. This can be done by providing a “Communication Preferences” intake form. On this form, the patient should be made aware the security risks of sending or receiving emails that contain PHI. They can then either give consent to email communication or decline email communication from your office. This form should be kept in the patient’s chart.

  2. Make use of the Patient Portal function of Clinical.

    The patient portal inside Clinical allows practices to share patient health information confidentially, in a secure setting to patients and other physicians and consulting providers. Patients and physicians can easily view this information in a web browser from any device that has internet access. Portions of the patient’s chart that can be made viewable include: future appointments, lab results, current medications, and overdue health maintenance. Patients and providers can also send secure messages back and forth via the portal. For instructions on setting up a patient to use the portal, click here.

  3. Encrypt transmitted files.

    Encrypting emails disguises the content of the email message from all parties except the intended recipient, who will be required to use some sort of authentication to open and read the encrypted message.

Email is a great tool that will be around for a while, but it should be used with extreme caution in healthcare. Make sure you, your staff, and your patients are aware of the security risks associated with communicating via email. Without taking the proper precautions, one email can be the cause of a costly breach.