The Office of Civil Rights (OCR) of the Department of Health and Human Services on their website states that:

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

As email has increasingly become a preferred method of communication for both health care businesses and individuals, the question arises, “Is email HIPAA compliant?”  The answer is not a simple yes or no.  While email can be an acceptable form of communications between a practice and their patients, it is important that you take precautions.  Most emails applications are not secure on their own, unless you purchase a specific HIPAA compliant one, so it is important to be informed and act accordingly.

What are some of the reasonable safeguards you ask?  They can include: 


  1. Purchasing a secure email application, or
  2. Taking the following precautions if you are using a non-secure application:
    1. Get the patient’s written consent prior to sending
    2. Alert the patient that email is not always 100% secure
    3. Check the e-mail address for accuracy before sending
    4. Send an e-mail alert for address confirmation prior to sending the message
    5. Limit the amount of confidential information in the email you are sending
    6. Use encryption, especially if email contains a patient’s medical record


If you are using email for appointment reminders, which has been shown to significantly reduce the occurrence of last minute cancellations and no-shows, you need to have the patient “opt-in” to the service instead of giving them the option of “opting-out”.   You can simply add a line to your registration form which gives the patient an opportunity to sign up for email notifications.

The OCR also spells out a patient’s right to choose the method of communication by stating the following:

An individual has the right under the Privacy Rule to request and have a covered health care provider to communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b).

This simply means that a clinic needs to accommodate a patient’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means to communicate with the patient. On the other hand, if the use of unencrypted e-mail is unacceptable to a patient, other methods of communications, such as mail or telephone should be offered and accommodated.

As always, with HIPAA compliance it is important to err on the side of caution.  Make sure you get a patient’s permission before sending any emails and even if they initiate the email communication be sure you alert them to the potential risk of un-secure emails.  

Christina Ryan
Executive Administrator 
christina@dmbmcsi.com

Is Email HIPAA Complaint?

By Christina Ryan, Executive Administrator