Providing Comprehensive Health Law Services Throughout Wisconsin

Does e-mail sent to patients have to be encrypted?

On Behalf of | Aug 11, 2014 | Physician Liability |

Many physicians are being asked by patients to communicate via email and that raises various privacy, HIPAA, and physician liability questions.  Do email communications violate privacy regulations or whether, if you can use e-mail, must the e-mail be encrypted?  The short answer to the first question is yes, you can communicate with patients via e-mail.  The answer to the second part is more difficult.  You can, under HIPAA, communicate via unencrypted e-mail but only if the patient has been notified of the risk and agrees.  From the HIPAA Final Security Rule comments on January 25, 2013:  “We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the ”duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”  Beyond HIPAA, you cannot just ignore possible state laws on privacy and physician liability.  However, in this case, in Wisconsin, there is no further state law on the subject.  So yes, if you have notified the patient’s of the risks you can send unencrypted email.  The notifications required can be learned by contacting your health law attorney. 

FindLaw Network

Questions? Contact Me