How to send intake forms, treatment plans, and follow-ups securely by email

According to a Reuters article by Erin Whaley, Brent Hoard, and Emma Trivax published in April 2025, the healthcare industry experienced a 264% increase in ransomware attacks in 2024. According to Akilnath Bodipudi in the Journal of Scientific and Engineering Research, "Healthcare organizations handle vast amounts of sensitive patient data, including personal information, medical records, and financial details. Email security is crucial to ensure this data is protected from unauthorized access and breaches."

According to the study Data privacy in healthcare: Global challenges and solutions, medical data breaches can lead to identity theft, fraud, and medical malpractice. The consequences of a breach can include hefty fines, loss of professional license, damaged reputation, and most importantly, harm to your patients' trust and wellbeing.

Research in the systematic literature review notes that the security of patient data encourages individuals to share their personal health information for current or future care. Furthermore, if healthcare professionals cannot trust an organization to protect records, they may be reluctant to record all information collected from patients. A single unencrypted email containing patient information could expose a practice to liability.

The compliance landscape for 2025

As reported by Reuters, HHS introduced its Risk Analysis Initiative at the end of 2024, Furthermore, HHS proposed revisions to HIPAA's Security Rule in January 2025. These changes aim to modernize security standards by addressing technical aspects including encryption, multifactor authentication, patching, and penetration testing, while also enhancing training and awareness regarding social engineering threats.

The Reuters article states that organizations must be proactive in keeping their security policies and procedures up to date, including implementing training to educate staff on new and emerging security threats. This makes secure email practices not just a best practice, but an essential component of HIPAA compliance.

What HIPAA actually requires

Healthcare attorneys James B. Riley, Kimberly J. Kannensohn, and Paige Dowdakin from McGuireWoods provide insights into the legal requirements for electronic patient communications. While many providers assume HIPAA prohibits emailing PHI entirely, the attorneys clarify that HIPAA does not actually ban email transmission of patient information. However, they emphasize that sending PHI through unsecured, unencrypted email creates risk of unauthorized access or disclosure, which would constitute a breach under HIPAA regulations.

Patient consent

Riley and his colleagues note that physicians and healthcare providers should never communicate with patients via email without obtaining the patient's express written consent first. This consent serves multiple purposes, it respects the patient's privacy preferences, ensures they understand the communication method being used, and provides legal protection for the provider.

The McGuireWoods attorneys explain that when obtaining this consent, providers must inform patients about the risks of electronic communication, specifically that email information could potentially be read by unauthorized third parties. If a patient has indicated they prefer to receive health information only by telephone or in person, providers must honor that preference under all circumstances. Additionally, having documented written consent protects providers in the event of patient complaints, Office for Civil Rights investigations, or other government actions.

Understanding the encryption safe harbor

One of the legal protections available to healthcare providers involves what Riley, Kannensohn, and Dowdakin describe as the encryption "safe harbor" established under the HITECH Act. In August 2009, the Department of Health and Human Services published breach notification rules that created a distinction between secured and unsecured PHI.

The attorneys explain that PHI that has been properly encrypted using methodologies specified under the HITECH Act is considered "secured PHI", meaning it has been rendered unreadable, unusable, or indecipherable to unauthorized individuals. The advantage is that if a covered entity discovers an unauthorized use or disclosure of properly secured PHI, they are not required to comply with HIPAA's breach notification requirements. This is because encrypted information meeting these standards is not considered unsecured PHI subject to breach reporting obligations.

This creates an incentive for providers to encrypt all email communications containing patient information. Encryption essentially provides legal protection against the costly and reputation-damaging breach notification process, assuming the encryption meets the specified technical standards.

Patient-requested unencrypted communications

Riley and his colleagues clarified from the 2013 HIPAA Omnibus Rule regarding patient preferences. If patients are fully informed about the risks of unencrypted email and still explicitly request to receive communications through this method, healthcare providers are not held responsible for unauthorized access of PHI that occurs during transmission based on the patient's request.

As the attorneys note, the Omnibus Rule recognizes that patients have the right to receive unencrypted email if they prefer it after being notified of the risks. However, they advise that even in these situations, providers should still implement the safeguards listed above to minimize risk and avoid being placed in a defensive position should any issues arise.

What makes email communication secure?

As Bodipudi explains in his research, "Email encryption is the process of encoding email content to prevent unauthorized access. It ensures that only intended recipients can read the email, maintaining confidentiality and integrity of the information."

As highlighted in the Data privacy in healthcare article, strong encryption techniques are crucial in preventing unauthorized access and resistant to various attacks. This ensures that even if unauthorized individuals gain access to the data, it remains indecipherable without appropriate decryption keys.

Second, you need access controls that verify the identity of both sender and recipient. The review notes that secure access control is instrumental in preventing data breaches by regulating access to sensitive patient data, effectively reducing the risk of data theft, cyberattacks, and other security threats. Thirdly, you should have audit trails that track who accessed what information and when. Finally, for HIPAA compliance, you need a Business Associate Agreement (BAA) with your email service provider, which makes them legally responsible for protecting the data they handle on your behalf.

Bodipudi states that, "HIPAA mandates strict standards for the protection of patient information, including secure communication channels. Non-compliance with these regulations can lead to severe legal penalties and fines."

Lastly, the systematic review notes that ensuring the confidentiality, integrity, and availability of medical data is necessary to achieve high-quality healthcare services.

FAQs

Can I use my personal Gmail or Yahoo account to communicate with patients? 

Personal email accounts typically don't meet HIPAA requirements because they lack encryption, business associate agreements, and the necessary security controls for protecting patient information.

What should I do if I accidentally send PHI to the wrong recipient? 

You must assess whether a breach occurred, attempt to retrieve the information if possible, document the incident, and follow your organization's breach notification procedures which may include reporting to HHS and affected patients.

Are text messages and SMS subject to the same HIPAA rules as email? 

Yes, text messages containing PHI are subject to HIPAA regulations and generally require the same security measures including encryption, patient consent, and BAAs with service providers.