Do patients need HIPAA compliant email too?

Patients frequently use personal email accounts to ask doctors' offices and hospitals for information, schedule appointments, or even discuss symptoms. While we know that healthcare providers must use HIPAA compliant systems to protect patient data, what about the patients themselves? If a patient emails their doctor using regular Gmail or Outlook, are they violating HIPAA? 

Ultimately, HIPAA regulations primarily target healthcare providers, not patients. However, the digital exchange of health information involves choices, risks, and distinct responsibilities for the patient and the provider.

HIPAA and email security

The HIPAA Security Rule mandates that covered entities and their business associates implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). When it comes to email transmission, HIPAA requires ePHI be secured when transmitted electronically, particularly over open networks like the internet. Standard email services usually fall short of this requirement as they do not guarantee encryption, leaving the data vulnerable during transit. As a result, providers are obligated to use secure methods when they initiate sending ePHI to a patient via email. This often involves HIPAA compliant email solutions that offer encryption, secure patient portals, or other secure messaging systems. 

Psychologist Stacy Larson says, “Your patients can waive the use of encrypted email, but they need to be informed of, and then accept, the potential risks of doing so, and you need to document their decisions.” According to HHS guidance, if a patient provides their email address to a healthcare provider or initiates communication via email, it can be considered implied consent for the provider to respond through the same channel, provided the patient is warned about the risks. 

Furthermore, any email service provider that stores or has access to PHI on behalf of a healthcare provider is considered a business associate and must enter into a business associate agreement (BAA) with the provider, outlining their responsibilities for safeguarding the protected information. The American Academy of Pediatrics (AAP) states, “Covered Entities are bound by the HIPAA Privacy Rules for their own activities as well as those organizations with which they contract for essential functions such as telehealth platforms, billing, collections, medical record storage, etc. These entities are called 'Business Associates.’”

Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)

Navigating patient-initiated emails

A common scenario in healthcare today involves patients using their personal, often unsecure, email accounts like Gmail, Yahoo, or Outlook to contact their healthcare providers. They might ask a quick question about a medication, describe new symptoms, or request an appointment. When a patient chooses to communicate with their provider using their personal email, they are making a decision about their own data security. In this context, the patient is not directly regulated by HIPAA and is not considered to be violating the law by using their preferred method of communication, even if it's not inherently secure. However, this doesn't absolve the healthcare provider of their responsibilities. 

A study about patient confidentiality in StatPearls Publishing discusses how upon receiving an email from a patient that contains PHI, the provider remains obligated under HIPAA to protect that information within their own systems. This includes ensuring secure storage of the email and controlling who has access to it. Best practice, and often recommended by HHS, dictates that providers should, if not previously done, warn the patient about the risks associated with using unsecure email for transmitting sensitive health information. 

When responding to the patient via the same unsecure channel (which should ideally only occur if the patient understands and accepts the risks), the provider should exercise caution and minimize the amount of PHI included in their reply. Moreover, providers should take the opportunity to inform patients about any secure communication alternatives they offer, such as a secure patient portal or a secure messaging system, encouraging their use for future sensitive communications. 

The above study notes that providers must document any warnings given to patients regarding unsecured email and document the patient's communication preferences in their record. Importantly, the fact that a patient initiates communication via unsecure email does not exempt the provider from having a secure email system internally, complete with a BAA with their email vendor, to manage and protect these patient communications according to HIPAA standards. A compliant provider response to a patient's unsecured email inquiry might involve a brief answer to the immediate question, a warning about the risks of unsecured email, and an invitation to use the provider's secure patient portal for more detailed or sensitive discussions in the future.

Do patients need HIPAA compliant email?

The straightforward answer to the question of whether patients need "HIPAA compliant email" is no. Patients, acting in their capacity are not legally required by HIPAA to obtain or use specialized email services that meet HIPAA's stringent requirements. The term "HIPAA compliant email" primarily refers to services and systems that are designed for covered entities and business associates to help them meet their obligations under the law. The focus of marketing efforts around HIPAA compliant email often targets healthcare providers, which can sometimes lead to confusion among patients who might mistakenly believe that they need a special type of email account. 

Instead of a legal mandate, the emphasis for patients should be on making informed choices and understanding the risks involved in communicating sensitive health information online. While HIPAA doesn't require patients to use secure email, sending such information via standard email carries risks, including the potential for interception by unauthorized parties, hacking, or accidental forwarding. A case study from Multnomah County, Oregon, proves these risks. In this incident, a Health Department employee set up an automatic email forwarding rule that sent emails containing ePHI of approximately 1,700 patients to their personal Google email accounts over three months. The forwarded emails included sensitive data such as patient names, ages, medical record numbers, diagnoses, dates of service, medication names, and prescription numbers. 

This is a matter of personal cybersecurity and privacy. Patients who are concerned about the privacy of their health information might prefer to communicate with their providers through secure channels when available. When providers offer secure options like patient portals or secure messaging systems, patients benefit from the peace of mind that their sensitive data is being protected with a higher level of security. This demonstrates that the provider values their privacy and is taking steps to safeguard their information. 

A shared path to secure communication

Ensuring the security and privacy of health information in electronic communication is a shared responsibility, even though the legal obligations under HIPAA differ for providers and patients. 

For providers (Meeting HIPAA obligations):

• Implement and consistently utilize a vetted HIPAA compliant email solution that includes features like secure gateways, encryption, and ensures a BAA is in place with the email vendor.
• Establish and clearly communicate patient email policies, outlining the risks of unsecured email and the availability of secure alternatives.
• Proactively inform patients about the risks associated with using standard, unsecured email for sensitive health information and diligently offer secure communication alternatives such as patient portals or secure messaging systems.
• If a patient chooses to communicate via unsecured email after being warned of the risks, obtain their explicit consent and meticulously document this in their record.
• Provide thorough and ongoing training to all staff members on proper email procedures, the risks associated with email communication, and the organization's policies on handling PHI electronically.
• Ensure the secure internal handling and archiving of all patient communications received via any channel, adhering to HIPAA regulations for data storage and access.

For patients (Protecting personal information):

• Be aware: Recognize that standard email services are not inherently secure for transmitting sensitive information like detailed health data.
• Utilize provider's secure options: Ask your healthcare provider about the availability of secure communication methods and use these whenever possible, especially for discussions involving specific health concerns or personal medical details.
• Limit sensitive detail (if using standard email): If you choose to use standard email for convenience, consider the sensitivity of the information you are sharing. For instance, you might use standard email for scheduling appointments but opt for the secure option for clinical questions or medication inquiries.
• Secure your own account: Practice good digital hygiene by using strong, unique passwords for your personal email accounts and enabling two-factor authentication (2FA) for an added layer of security.
• Verify recipient address: Always double-check that you have the correct email address for your healthcare provider before sending any message to prevent accidental disclosure of your information.

FAQs

Who is a covered entity under HIPAA? 

Covered entities are the individuals, organizations, and agencies that must comply with HIPAA regulations. This mainly includes healthcare providers (like doctors, hospitals, and clinics), health plans, and healthcare clearinghouses.

What is a business associate? 

A business associate is a person or entity that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. This could include billing services, IT companies managing electronic health records, and even some email service providers.

What is two-factor authentication or "2FA"? 

Two-factor authentication is an extra layer of security for online accounts. It requires you to use two different types of identification to log in, usually something you know (like your password) and something you have (like a code sent to your phone). This makes it harder for unauthorized people to access your accounts, even if they know your password.