The U.S. Department of Health and Human Services (HHS), the agency that enforces HIPAA, has clarified that unencrypted emails may be sent to patients who have been advised of risks and have consented to receive unencrypted emails.
However, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient — such as by more secure electronic methods or by mail or telephone — should be offered and accommodated. Also, patient consent to receive unencrypted email is not consent to transmit protected health information in nonsecured communications with other entities such as specialists and payers.
The HHS statement was included in the Jan. 25 publication of the amendments to the HIPAA Privacy, Security, and Breach Notification Rules that are required by HITECH legislation approved in 2009.
Here are a few suggestions to obtain patient consent to communicate via unencrypted email. Be sure to retain documentation with the patient record.
- Reply to a patient's emailed request for information with the following:
We are happy to respond to your query, but in order for us to do so via email, you must provide your consent, recognizing that email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in such email may be misdirected, disclosed to or intercepted by, unauthorized third parties. We will use the minimum necessary amount of protected health information to respond to your query.
If you wish to conduct this discussion via email, please indicate your acceptance of this risk with your email reply. You may withdraw your consent at any time. Alternatively, please contact our office to arrange a telephone conversation or office visit if you decide against corresponding via email.
- Act on a verbal request from the patient.
Ask the patient to send an email to the office, then the office can respond as described above. Or, the dentist can discuss with the patient the risk of unsecured email and document the conversation and consent in the patient record.
- Add the following language to the patient information form.
Unencrypted email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in such email may be misdirected, disclosed to or intercepted by unauthorized third parties. However, you may consent to receive email from us regarding your treatment. We will use the minimum necessary amount of protected health information in any communication. Our first email to you will verify the email address you provide.
Include check boxes for three statements:
I consent to and accept the risk in receiving information via email. I understand I can withdraw my consent at any time. My email address is _________.
I consent only to receiving appointment reminders via email or text. I understand I can withdraw my consent at any time. My email address is _________.
I do not consent to receiving any information via email. I understand that I can change my mind and provide consent later.
For more information on this, visit cda.org/compass.