in HIPAA Headlines by John Brewer

Today after my small dog struggled to bring in the Wall Street Journal, I was greeted by an article titled “When Email is Part of the Doctor’s Treatment”

It is full of wonderful tidbits that make a HIPAA hound like me cringe.

Let me set a few things straight: I’m a tech guy and my preference would be to do most communication with my physicians via some electronic method.

Let me clarify one other thing: I get wrapped up on some basic vernacular – that is, never never never should a medical office say they are going to email patient information.  IF your office has a patient portal for secure messaging, SAY THAT, yes, say I will secure message you.

“Does that really matter?” most ask.  If a $50,000 fine matters to you, then yes it matters.

Remember, HIPAA compliance is about reducing the risk of a huge fine, which means reducing the risk of releasing PHI.

Back to the article…

“Dr. Mark Seigel’s Personal email account…”

Never should any person in your office send an email to a patient with any PHI in it.  Also, realize by answering that innocent “little” question, you are opening up the communication for too much detail.

“…Blood test results, refill prescriptions…”

No and no.  Never send test results or prescription information via email.

“He asks them to sign a form…”

One of the docs in the article has patients sign a form so they can then email information freely.  This is the right way to handle this  though I always recommend electronic communication be via a secure system.  Otherwise you open yourself up to way too many potential issues.

Secure Messaging

Now we are talking.  All of the above would be just fine if using a secure messaging system.  This is typically an add-on to your EHR.  Generally you will find it is easiest to use the secure messaging system that your EHR vendor offers, as it will generally attach all communications to that specific patient’s file.

“…Her practice has a portal, but…”

“…most parents prefer to email or text.”  Right, and most people prefer to eat food that is not good for them and generally don’t want to exercise.  This isn’t about what the patient desires, this is about FEDERAL REGULATIONS with hefty fines.

Let me put it this way, if you are not willing to email your credit card information (which you should never do), why would you be willing to email your patient information?

What Should I do?

First, you need to ensure you have a clear set of policies in place clarifying what is allowed when communicating with patients electronically.  Next, you should get the patient portal on your EHR stood up.  The patient portal is generally what activates your secure messaging.  Make sure you only communicate via secure messaging with your patients.

Never use the term “email” when you talk about sending patient information.  Always say “secure message”.  This may sound dumb, but the moment a staff member emails out a patient’s information because “the doctor said to email their information”, then you have a real problem on your hands.

This is all really simple, yet takes a change in the way you operate.

About John Brewer

This author hasn't yet written their biography.
Still we are proud John Brewer contributed 177 great entries.

20 thoughts on “Email As Treatment
  1. JC says:

    I am an employed physician. I am aware of these considerations, but my employer publishes my email address, And doesn’t have a secure patient portal. Patients email me all the time. They get angry when I tell them the email is not secure and they should call the office. I have the same problem with colleagues who email me confidential patient information. HELP!!!

  2. Nancy says:

    Is faxing PHI OK?
    I thought I read an article in this section about faxes, but I can not find it now. Thank you for your time, information and assistance…always a pleasure!

  3. Nancy says:

    “Dr. Mark Seigel’s Personal email account…”
    Never should any person in your office send an email to a patient with any PHI in it.

    Q: NO emails to PATIENTS, but can you send a Hospital an email with required PHI for preop / admission?

    Thank you for your time, information and assistance!

  4. John H. Roark, M.D. says:

    It is a hippa violation for a patient to send of a picture by text of their post op wound to the physician

  5. John Brewer says:

    @ Dr. Roark
    No, it is not a violation for the patient to volunteer information. BUT it is very important as to how you handle this situation. There should not be a response via text message to this patient.

    Texting with patients should not be an option. Let me clarify that, non-secure texting should not be an option.

  6. John Brewer says:

    There are a few solutions. First, your employer needs to help you out. Second there is a secure messaging system that I’m in the final stages of review that should greatly simplify all of this, stay tuned.

  7. John Brewer says:

    Faxing is ok. The article to which you are referring discussed having the proper fax process in place to minimize the risk of a breach via fax.

  8. John Brewer says:

    You can only send PHI in an email if it is a secure system. Hospitals tend to have secure systems, but you need to be 100% sure AND understand how to properly send within their secure system.

  9. Paul Norton says:

    Maybe the problem isn’t about emails but the HIPAA law. We should be writing our legislators about riduculous laws and changing them then paying money to “make it secure” A phone call isn’t secure, neither is mail. This seem like a bad episode of Get Smart and the cone of silence.

  10. John Brewer says:

    I agree, but I don’t see the laws changing. The best thing to do is accept this is the way you have to operate, and implement the required processes in the simplest way possible.

  11. James Bouzoukis, MD says:

    Thank you for your informative article. On the website, an answer from the HHS in 2008 says email communication with patients, even unencrypted email is allowed if the patients agree to this.
    Has this specifically changed in the 2013 modification to HIPPA? I did not see specifics regarding email in the HIPPA modification published on the federal register website; although I did read all sections thoroughly.

  12. James Bouzoukis, MD says:

    I meant to say I did not read all sections..

  13. John Brewer says:

    Let me clarify something: I am very conservative when it comes to HIPAA regulations. When I create policies for an office, that office may back off from my recommendations, but they should clarify in writing that they are doing so. I will correct my remark above to be technically correct.

    You are correct, there is stipulation that IF a patient says communication with them via non-secure email is OK with them, then it is OK.

    Realize also there is stipulation that says a cleaning crew does not require a Business Associates Agreement as they may only have incidental viewing of PHI.

    In both of these situations I err on the conservative side. Plus, most health attorneys you speak with will recommend the conservative route.

    I think it is a big mistake head down the path on non-secure electronic communication with patients.

    Don’t forget, HIPAA is all about risk reduction to you.

  14. Brian says:

    To what extent do you consider communicating with a patient PHI? Labs and diagnoses are understandable. What about coordinating OR arrival times? What if the procedure is named in the email? Is it a violation if the patient emails us a medical question directly but then we answer it by phone and document in the chart?

  15. Beth F says:

    Have you heard of and do you recommend using this feature to send information to patients at their request? Our patients often ask for us to email them surgical quotes and photos.

  16. Beth F says:


  17. John Brewer says:

    @Beth F
    That website makes not mention of HIPAA compliance. If they won’t claim HIPAA compliance, you shouldn’t use it.

  18. John Brewer says:

    Review what our post of what makes up PHI. Generally appointment times are considered fine, but stay generalized with descriptions. If a patient sends PHI to you, calling them is fine. Avoid emailing them anything back.

  19. Beth F says:

    Hi John,
    One more question, how should I handle email inquiries such as “How much does a Breast Augmentation cost?” from people who are NOT currently patients on record, but just people who are asking questions through our website. Can I respond to their emails without violating HIPPA?

  20. John Brewer says:

    One might argue that by them asking the question initially that is would be considered their consent.
    But two things:
    1) Never make this assumption
    2) That is horrible marketing. Generally what you have in this case is a price shopper, and I’m guessing you aren’t there to be giving out pricing information.

    What you should do is call everyone who submits a question like that.

    You should ask for their phone number as part of your process.
    You can clarify to that due to HIPAA regulations, you would like to discuss this over the phone with them.
    If they don’t want to talk on the phone, I’m guessing they aren’t that serious about the procedure.

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *