Legal implications of patient email opt-outs

The Health Insurance Portability and Accountability Act (HIPAA) establishes guidelines for protecting patient health information. Under the traditional HIPAA Security Rule, covered entities were required to implement technical safeguards to protect electronic PHI from unauthorized access. Encryption was previously recognized as an "addressable" specification under HIPAA, meaning organizations could implement it or document why an equivalent alternative was reasonable and appropriate.

However, the December 2024 Notice of Proposed Rulemaking (NPRM) issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) changed this. The updates eliminated the distinction between "addressable" and "required" standards, making encryption mandatory for all electronic PHI (ePHI) both at rest and in transit. This shift changes encryption from an optional safeguard that could be documented into a mandatory requirement for all covered entities and business associates.

Despite this, HIPAA regulations continue to include provisions for patient choice. When patients specifically request that their healthcare provider communicate via unencrypted email, despite being warned of the risks, providers may honor this request without violating HIPAA. However, this exception now exists within strict regulations.

Interestingly, physician attitudes toward HIPAA's privacy protections reveal a gap between regulatory intent and practitioner perception. A study published in Health Affairs found that only 22.8% of physicians agreed that "The HIPAA privacy regulation will greatly help physicians in their efforts to maintain the confidentiality of patients' medical records," while 45.4% disagreed. This skepticism suggests that while legal frameworks exist for patient opt-outs, physicians may have mixed views about whether such protections enhance privacy or simply add administrative burdens.

Learn more: Can patients opt out of HIPAA compliant communication?

Legal framework for patient rights to choose unencrypted email

The Office for Civil Rights (OCR), which enforces HIPAA compliance, has clarified that covered entities may send individuals unencrypted emails if the individual has been advised of the risks and still prefers the unencrypted format. According to the official HIPAA guidance, "Individuals have a right to receive a copy of their PHI by unencrypted e-mail if the individual requests access in this manner. In such cases, the covered entity must provide a brief warning to the individual that there is some level of risk that the individual's PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted e-mail. If the individual says yes, the covered entity must comply with the request."

The OCR's position was further clarified in its Omnibus Rule commentary, which confirmed that "covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email." As healthcare law firm Holland & Hart explains in their analysis of HIPAA email requirements, the OCR "merely expect[s] the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way."

However, with the 2025 updates making encryption mandatory across all systems by default, patient opt-outs will likely require more documentation and justification. 

This framework establishes legal prerequisites that healthcare professionals must understand and implement:

• The patient must be adequately informed about security risks in the context of mandatory encryption standards
• The patient must affirmatively consent to unencrypted communications despite having secure options available
• The healthcare provider must document both the warning and the patient's decision as part of their mandatory written policies and procedures

As HIPAA guidance affirms, "The HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans." Just as patients have the right to make informed decisions about their medical treatment, they retain some control over how their health information is communicated. However, this does not remove the healthcare providers’ responsibility to communicate the risks involved.

Legal requirements for informing patients about risks

Healthcare organizations must provide clear warnings about the risks of unencrypted email communication that explicitly acknowledge the availability of secure, encrypted alternatives as the new standard of care.

From a legal compliance perspective, these warnings must address:

• The possibility of interception during transmission
• Unauthorized access by third parties
• The potential for misdirected emails reaching unintended recipients
• The lack of control over information once it reaches the recipient's email system
• The deviation from mandatory encryption standards that protect other patients

The study shows that two-thirds (68.1%) of physicians reported that written patient authorization for nonroutine uses of confidential patient information would "greatly" or "somewhat" improve privacy protection. This suggests that when properly implemented, informed consent for opt-outs may align with what physicians view as effective privacy safeguards.

According to OCR guidance, covered entities should implement reasonable safeguards when using email, such as "checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message." 

Notably, the same research found that only one out of four physicians agreed that "the violation of the privacy of medical records is a very serious problem today," suggesting that some practitioners may underestimate the privacy risks that patients face. This perception gap, combined with the stricter requirements of the updated rule, shows the importance of clear risk disclosure processes that don't rely on physician judgment about privacy threats.

Legal considerations for patient-initiated email communications

A legal distinction exists between provider-initiated and patient-initiated email communications. As Holland & Hart explains in their HIPAA guidance, when patients initiate communications using email, "The health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual." However, they caution that "if the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications."

Research indicates that most physicians (71%) classified themselves as "somewhat" or "very familiar" with the HIPAA Privacy Rule, suggesting awareness among practitioners to recognize when patient-initiated communications may require risk warnings and encrypted alternatives. 

Legal implications for healthcare organizations

Healthcare professionals should be aware that:

Patient autonomy is preserved but constrained: Patients retain the legal right to request unencrypted communications, but healthcare organizations must now provide this option within a framework of mandatory encryption standards, requiring explicit acknowledgment of deviation from best practices.

Informed consent standards are elevated: The legal threshold for valid consent is higher under the new rules, requiring clear disclosure of encrypted alternatives and risk warnings.

Documentation requirements: Organizations must maintain detailed records demonstrating that opt-outs are patient choices made with full awareness of secure alternatives, not system limitations or organizational convenience.

The study suggests that robust compliance with Privacy Rule requirements correlates with better overall organizational performance in both privacy protection and quality of care. This indicates that viewing opt-out procedures as components of privacy programs may benefit both legal compliance and patient care outcomes.

FAQs

How do the 2025 HIPAA updates affect encryption requirements for healthcare providers?

The 2025 updates make encryption mandatory for all electronic PHI (ePHI), removing the previous “addressable” flexibility under the Security Rule.

Can patients still request to receive unencrypted emails under HIPAA?

Yes, patients can still request unencrypted emails after being fully informed of the risks, and providers may honor this request if properly documented.

What must healthcare providers document when a patient opts out of encryption?

Providers must record the warning given to the patient, the patient’s acknowledgment of risk, and their explicit consent to receive unencrypted communication.

Does honoring a patient’s opt-out mean the provider is free from liability?

Not necessarily, providers remain responsible for demonstrating that informed consent was obtained and that all reasonable safeguards were in place.

What happens if an unencrypted email is intercepted despite patient consent?

While HIPAA may not consider it a violation if consent was properly obtained, regulators could still review whether the provider met all documentation and warning requirements.