Healthcare providers are searching for simpler ways they can communicate with patients. It can be tedious to schedule all communication in person or over the phone, so medical professionals are looking for another way. Email has become a popular form of communication for those in the healthcare industry, but there are questions about its legality and if it complies with HIPAA laws.

HIPAA Emails

HIPAA sets the standard on what is or is not allowed regarding medical communication. Meaning that to avoid a breach, penalties or fines, healthcare providers must understand the HIPAA privacy and security rules.

Privacy Rule: Patients have a right to request a provider communicate by alternative means.

Security Rule: Communication through email is not prohibited, however, it must have adequate protection.

HIPAA laws state that healthcare providers can communicate electronically, so long as safety measures are in place. Some suggested safety measures include:

Encrypted Email

It is always a good idea to encrypt sensitive information that you send electronically. Encryption keeps information safe, and should it fall into the wrong hands, it will be useless to them unless they have the encryption key. This makes encryption especially important considering that most email systems are not HIPAA compliant.

Do Not Send Protected Health Information (PHI) Via Email

If you must communicate any PHI, it is best to do this in person. By communicating sensitive information through email, medical provers may put their patients at risk of having their private information exposed.   

Information that can be classified as PHI includes:

·       Payment claims submitted to insurance providers.

·       Patient referrals to specialists

·       Appointment scheduling

Have Patients Fill Out Communication Consent Forms

A communication consent form will verify what forms of communication a patient allows. Written consent tells medical providers a patient’s preferred form of communication. This form is helpful if there is any confusion down the line as to what types of communication a patient allows.

Communicate Through a Patient Portal

A private patient’s portal is a place for medical providers and patients to message each other without the potential risks an email carries. A private portal is a secure platform, where patients can view information about appointments, medical results, or communicate with staff.

The Office of Civil Rights (OCR) states that if a patient communicated with the medical provider via email previously, it is okay to assume that communication through email is okay. It is also the healthcare professional’s responsibility to alert the patient if they feel as though the patient does not understand the potential risk involved in communicating through non-encrypted emails. Alternative means of communication should also be made available in this instance.

There are other steps that HIPAA recommends to ensure the safety of information transmitted via email. HIPAA emphasizes ensuring that you send emails to the right recipients. They recommend double checking the intended recipient’s email address, and even sending a test email before-hand which would help verify that the right person will receive the email.


A report by the Healthcare Billing and Management Association states that most of the Covered Entities and Business Associates are not in compliance with HIPAA laws. The fact that most are not in compliance means that patients need to take extra steps to ensure their information is secure and protected from potential security breaches. Patients should only communicate with medical professionals in a way that they are comfortable with, and should always remain aware of potential threats.