Patients frequently use personal email accounts to ask doctors' offices and hospitals for information, schedule appointments, or even discuss symptoms. While we know that healthcare providers must use HIPAA compliant systems to protect patient data, what about the patients themselves? If a patient emails their doctor using regular Gmail or Outlook, are they violating HIPAA?
Ultimately, HIPAA regulations primarily target healthcare providers, not patients. However, the digital exchange of health information involves choices, risks, and distinct responsibilities for the patient and the provider.
The HIPAA Security Rule mandates that covered entities and their business associates implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). When it comes to email transmission, HIPAA requires ePHI be secured when transmitted electronically, particularly over open networks like the internet. Standard email services usually fall short of this requirement as they do not guarantee encryption, leaving the data vulnerable during transit. As a result, providers are obligated to use secure methods when they initiate sending ePHI to a patient via email. This often involves HIPAA compliant email solutions that offer encryption, secure patient portals, or other secure messaging systems.
Psychologist Stacy Larson says, “Your patients can waive the use of encrypted email, but they need to be informed of, and then accept, the potential risks of doing so, and you need to document their decisions.” According to HHS guidance, if a patient provides their email address to a healthcare provider or initiates communication via email, it can be considered implied consent for the provider to respond through the same channel, provided the patient is warned about the risks.
Furthermore, any email service provider that stores or has access to PHI on behalf of a healthcare provider is considered a business associate and must enter into a business associate agreement (BAA) with the provider, outlining their responsibilities for safeguarding the protected information. The American Academy of Pediatrics (AAP) states, “Covered Entities are bound by the HIPAA Privacy Rules for their own activities as well as those organizations with which they contract for essential functions such as telehealth platforms, billing, collections, medical record storage, etc. These entities are called 'Business Associates.’”
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A common scenario in healthcare today involves patients using their personal, often unsecure, email accounts like Gmail, Yahoo, or Outlook to contact their healthcare providers. They might ask a quick question about a medication, describe new symptoms, or request an appointment. When a patient chooses to communicate with their provider using their personal email, they are making a decision about their own data security. In this context, the patient is not directly regulated by HIPAA and is not considered to be violating the law by using their preferred method of communication, even if it's not inherently secure. However, this doesn't absolve the healthcare provider of their responsibilities.
A study about patient confidentiality in StatPearls Publishing discusses how upon receiving an email from a patient that contains PHI, the provider remains obligated under HIPAA to protect that information within their own systems. This includes ensuring secure storage of the email and controlling who has access to it. Best practice, and often recommended by HHS, dictates that providers should, if not previously done, warn the patient about the risks associated with using unsecure email for transmitting sensitive health information.
When responding to the patient via the same unsecure channel (which should ideally only occur if the patient understands and accepts the risks), the provider should exercise caution and minimize the amount of PHI included in their reply. Moreover, providers should take the opportunity to inform patients about any secure communication alternatives they offer, such as a secure patient portal or a secure messaging system, encouraging their use for future sensitive communications.
The above study notes that providers must document any warnings given to patients regarding unsecured email and document the patient's communication preferences in their record. Importantly, the fact that a patient initiates communication via unsecure email does not exempt the provider from having a secure email system internally, complete with a BAA with their email vendor, to manage and protect these patient communications according to HIPAA standards. A compliant provider response to a patient's unsecured email inquiry might involve a brief answer to the immediate question, a warning about the risks of unsecured email, and an invitation to use the provider's secure patient portal for more detailed or sensitive discussions in the future.
The straightforward answer to the question of whether patients need "HIPAA compliant email" is no. Patients, acting in their capacity are not legally required by HIPAA to obtain or use specialized email services that meet HIPAA's stringent requirements. The term "HIPAA compliant email" primarily refers to services and systems that are designed for covered entities and business associates to help them meet their obligations under the law. The focus of marketing efforts around HIPAA compliant email often targets healthcare providers, which can sometimes lead to confusion among patients who might mistakenly believe that they need a special type of email account.
Instead of a legal mandate, the emphasis for patients should be on making informed choices and understanding the risks involved in communicating sensitive health information online. While HIPAA doesn't require patients to use secure email, sending such information via standard email carries risks, including the potential for interception by unauthorized parties, hacking, or accidental forwarding. A case study from Multnomah County, Oregon, proves these risks. In this incident, a Health Department employee set up an automatic email forwarding rule that sent emails containing ePHI of approximately 1,700 patients to their personal Google email accounts over three months. The forwarded emails included sensitive data such as patient names, ages, medical record numbers, diagnoses, dates of service, medication names, and prescription numbers.
This is a matter of personal cybersecurity and privacy. Patients who are concerned about the privacy of their health information might prefer to communicate with their providers through secure channels when available. When providers offer secure options like patient portals or secure messaging systems, patients benefit from the peace of mind that their sensitive data is being protected with a higher level of security. This demonstrates that the provider values their privacy and is taking steps to safeguard their information.
Ensuring the security and privacy of health information in electronic communication is a shared responsibility, even though the legal obligations under HIPAA differ for providers and patients.
Covered entities are the individuals, organizations, and agencies that must comply with HIPAA regulations. This mainly includes healthcare providers (like doctors, hospitals, and clinics), health plans, and healthcare clearinghouses.
A business associate is a person or entity that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. This could include billing services, IT companies managing electronic health records, and even some email service providers.
Two-factor authentication is an extra layer of security for online accounts. It requires you to use two different types of identification to log in, usually something you know (like your password) and something you have (like a code sent to your phone). This makes it harder for unauthorized people to access your accounts, even if they know your password.