If a data breach occurs involving unencrypted patient emails, the organization will face questions over whether their opt-out process was legally sufficient given the new mandatory standards. Regulators will question whether the consent process adequately informed patients about the availability and benefits of encrypted alternatives, whether the organization implemented all other mandatory safeguards, and whether the organization's written policies limited what information could be sent via unencrypted email.
According to HHS guidance, "Covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual's access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit."
This protection is further reinforced by the OCR's Omnibus Rule commentary, which states that "covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request." However, under the 2025 updates, this protection requires more documentation demonstrating that encrypted options were offered, that the patient was fully informed about the deviation from mandatory standards, and that all other security requirements were met.
A study published in Health Affairs revealed a correlation between Privacy Rule compliance and organizational performance, organizations implementing more Privacy Rule procedural practices were rated 6.8 times more likely to be doing a "good" or "very good" job of protecting medical privacy. Perhaps more importantly for liability concerns, these same organizations were 5.3 times more likely to not interfere with physicians' ability to care for patients.
Additionally, healthcare providers must consider state-level privacy laws, which may impose requirements beyond HIPAA. Some states have enacted consumer privacy legislation that restricts how organizations handle personal information, potentially limiting the scope of valid opt-outs. Healthcare organizations operating across multiple states face the challenging task of complying with varying legal standards.
Learn more: Can patients opt out of HIPAA compliant communication?
Healthcare organizations must now maintain comprehensive records of:
This documentation serves multiple legal purposes under the new framework. It provides evidence of HIPAA compliance during the mandatory annual compliance reviews and audits, creates a defensible record if patients later claim they weren't adequately warned or weren't offered encrypted alternatives, demonstrates that opt-outs were genuine patient choices rather than system limitations, and helps organizations track and manage their risk exposure systematically as required by the enhanced administrative standards.
The study found that better training on privacy policies correlated with positive organizational performance ratings. This suggests that documentation requirements should be supported by training programs that help physicians understand not only what to document, but why such documentation protects both patients and providers.
Healthcare organizations should establish clear written policies defining what communications, if any, are appropriate for unencrypted email under patient opt-outs. Even with the consent processes, the mandatory nature of encryption under the proposed updates suggests that opt-outs should be limited to minimal information exchanges where the risks are lowest. Some organizations may need to eliminate unencrypted options for certain categories of information, offering patients only the choice between different encrypted delivery methods.
Holland & Hart, a healthcare law firm, recommends that while "the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail."
Under the proposed mandatory encryption requirements, these "other safeguards" must now include all the additional mandatory protections:
Interestingly, the study found that the provision of a written Notice of Privacy Practices (NPP) to patients was viewed as the least useful Privacy Rule requirement, with only 35.8% of physicians believing it would improve privacy. This suggests that while formal notices are legally required, organizations should not rely solely on such documents to communicate opt-out procedures.
The study suggests that Privacy Rule implementation has not hindered the provision of health care and that compliance is associated with better medical record privacy protection. Healthcare organizations should view opt-out policies not as opportunities to enhance both patient autonomy and organizational privacy protections within the security standards.
The same study revealed that organizations positioned to readily comply with Privacy Rule requirements appear better capable of meeting many other standards for quality of care, possibly due to "an organizational culture that takes both patients' privacy and quality of care very seriously." This correlation suggests that investing in opt-out procedures aligned with the new mandatory encryption and security requirements may serve as a marker of overall organizational excellence in patient care and legal compliance.
They require encryption by default, meaning opt-outs for unencrypted emails must now be documented and justified.
Yes, but only if the patient is fully informed of the risks and explicitly consents to unencrypted communication.
The provider is generally not liable if the patient knowingly accepted the risks and the provider met all documentation and compliance requirements.
By maintaining detailed records of consent forms, risk disclosures, and proof that encrypted alternatives were offered.
Yes, organizations should restrict unencrypted emails to minimal or low-risk information exchanges.