Discussing health issues with patients over email

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentio nal disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message,” says the US Department of Health and Human Services (HHS). 

Considerations before sending that email

Privacy and security

Emails that contain PHI must be transmitted and stored securely to prevent unauthorized access. Healthcare providers should use secure, HIPAA compliant email solutions like Paubox, which offer built-in encryption without requiring patients to log into separate portals or use passwords to view messages. This simplicity boosts engagement while maintaining robust security standards.

A HIPAA compliant email platform should:

• Encrypt messages both in transit and at rest.
• Authenticate sender and receiver identities.
• Prevent unauthorized forwarding or copying.
• Maintain secure storage with access controls and audit trails.

Informed consent

“A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule,” says the HHS. “An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party.”

This consent form should outline the risks, benefits, and limitations of using email for healthcare discussions to ensure that patients understand the implications.

Suitable for non-urgent matters

According to the study Email consultations in health care: 2—acceptability and safe application, “patients should be advised not to use email for urgent communications. Similarly, when a doctor wants to ask a patient about symptoms that may require prompt action (such as chest pain or shortness of breath) a synchronous mode of consulting should be used.” This suggests that email communication is best suited for non-urgent matters, such as prescription refill requests, discussing test results, or providing general health information. For urgent or emergency situations, patients should be encouraged to contact their healthcare providers through more immediate means, such as phone calls or in-person visits.

Clear communication boundaries

Establish clear boundaries and expectations for email communication. This may include guidelines regarding healthcare providers' availability, expected response times, and issues that can be discussed via email.

Recognize limitations

Email has limitations, including the absence of visual cues and the inability to conduct physical examinations. Some health issues may require in-person evaluations, and email is not a substitute for those situations.

Documentation

“The written record of email consultations enables close monitoring and evaluation of appropriateness and safety. Whereas face to face and telephone consultations are rarely recorded verbatim (typically being documented with only a few key words), email provides direct evidence of patient-doctor conversation. Thus, email consultations have the potential to facilitate accurate record keeping,” the study Email consultations in health care: 2—acceptability and safe application states. 

This demonstrates how email conversations can serve as written documentation of healthcare discussions, which is useful for both patients and healthcare providers by serving as a reference for future appointments and decisions.

Follow-up

After providing important information or recommendations through email, healthcare providers should encourage patients to:

• Request read confirmations where possible.
• Encourage patients to follow up with questions.
• Document any recommendations or concerns discussed in follow-up visits.

Effective follow-up ensures that the communication loop is closed and that the patient receives safe, continuous care.

What health issues can be discussed via email?

“Healthcare professionals use email for a multitude of purposes: for both formal and informal communications with colleagues and patients; to perform administrative duties; to conduct routine communication; and to undertake research and improvement projects.” writes the Cambridge University.

For patient communication, email is particularly useful for discussing non-urgent health issues and administrative matters with patients. While the specific issues that can be discussed via email may vary based on the healthcare organization's policies and the applicable regulations in your region, here are some examples of health-related topics that are typically suitable for email communication:

• Prescription refills: Patients can request prescription refills through email, making it a convenient way to manage ongoing medication needs.
• Appointment scheduling: Patients can inquire about available appointment slots, request appointment changes, or confirm upcoming appointments through email.
• Test results: Non-urgent test results, such as routine blood work or imaging reports, can be shared with patients via email. Ensure that the email platform is secure to protect sensitive data.
• General health information: Patients can seek general health information, advice on managing chronic conditions, or tips for healthy living through email.
• Medication questions: Patients can ask questions about their medications, including potential side effects, dosage instructions, and alternatives.
• Administrative inquiries: Addressing administrative matters such as billing questions, insurance inquiries, or medical record requests can be handled through email.
• Follow-up on previous discussions: Patients may have follow-up questions or require clarifications related to prior in-person or telephone consultations.
• Referrals and specialist appointments: Patients might inquire about the process of obtaining referrals to specialists or ask for assistance with scheduling appointments with other healthcare providers.
• Non-urgent medical advice: Some non-urgent medical concerns or inquiries about minor symptoms can be addressed through email. However, a detailed evaluation may require an in-person or telehealth visit.
• Wellness tips: Providers can share general wellness tips, preventive care advice, and recommended screenings with their patients to promote a healthy lifestyle.

Related: Empowering patients through HIPAA compliant email solutions

How to send HIPAA compliant email

Secure patient information in transit and at rest

Use secure email solutions that encrypt messages and attachments in transit and at rest. HIPAA compliance is to use an email service that:

• Automatically encrypts emails.
• Offers direct delivery to the patient’s inbox (no logins or portals).
• Is designed specifically for the healthcare industry.

Paubox, for example, is a trusted HIPAA compliant email provider that offers seamless, secure email communication without compromising convenience. Its encryption protocols cover both message transmission and storage.

Enter into a business associate agreement

“The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information,” writes the HHS.

Set up policies and procedures

The HIPAA Security Rule under § 164.316 requires HIPAA-regulated entities “implement reasonable and appropriate policies and procedures to comply with the standards.” Therefore, covered entities and their business associates must have internal policies for HIPAA compliant email that ensures all employees know their responsibilities regarding handling and transmitting protected health information (PHI) electronically.

Train your staff on secure email best practices

The HIPAA Privacy Rule under §164.530(b)(1) requires regulated entities to “a covered entity must train all members of its workforce on policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” Furthermore the Security Rule (§164.308(a)(5)) requires regulated entities to “implement a security awareness and training program for all members of its workforce including management.” 

Go deeper: How to send HIPAA compliant emails

FAQs

What security measures are needed for email communication? 

Healthcare providers must use encrypted and secure email solutions, such as Paubox Email Suite, to ensure the privacy and security of PHI. This includes both messages and attachments being secure in transit and at rest.

Can healthcare providers initiate email conversations with patients?

Yes, healthcare providers can initiate email communication, but only after obtaining informed consent from the patient.

What should patients know about the security of their health information when communicating via email?

Patients should be informed that, while healthcare providers use secure systems, no electronic communication method is completely risk-free. It's important to use the provider's secure email platform and avoid sending health information through personal email accounts. 

See also: Patient-initiated electronic communication