Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

The HIPAA Privacy Rule and email communication with patients

The HIPAA Privacy Rule and email communication with patients

Does the HIPAA Privacy Rule allow me to email my patients?

Despite the fact that patients want providers to use email to communicate with them, HIPAA regulations make it difficult for healthcare professionals to do so. The HIPAA Privacy Rule prohibits healthcare providers from disclosing protected health information (PHI) to individuals outside of the organization without the patient’s consent. However, email is considered an “unsecured” means of communication. That means that PHI could potentially be accessed by unauthorized individuals if it is sent via email. As a result, special precautions must be taken to ensure that PHI is not disclosed via email unless the patient has consented to such disclosure.


Secure email providers make email HIPAA compliant

One way to comply with HIPAA when using email to communicate with patients is by using a secure email provider. Secure email providers encrypt emails so that only the intended recipient can access the PHI contained within the email. This means that even if an unauthorized individual were to gain access to the email, they would not be able to read the PHI contained within it. Secure email providers typically charge a monthly fee, but this fee is often worth it for healthcare providers who need to use email to communicate with their patients.

Read more: Four steps to send HIPAA compliant email


What does HHS have to say about 507-HIPAA Privacy Rule and email?

HHS states:

The Privacy Rule allows covered healthcare providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between healthcare providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.


In conclusion, HIPAA permits healthcare providers to use email to discuss health issues and treatment with their patients. However, special precautions are needed to ensure that PHI is not disclosed without the patient’s consent. Healthcare providers can use secure email providers or encryption to protect PHI when sending emails to patients.


Send and receive PHI with HIPAA compliant emails

With the increasing cybersecurity risks in today’s environment, maintaining HIPAA compliant communications among healthcare providers, specialists, facilities, and patients is vital. Everyone uses email, but most HIPAA compliant email solutions are complicated and difficult for both providers and patients.

Now there’s an easy way to eliminate the hassle and still have HIPAA compliant email. Paubox offers the easiest way for healthcare organizations to send and receive secure messages and attachments that comply with the protected health information (PHI) requirements of HIPAA.

Paubox integrates into email services that physicians, administrators and patients already use every day. Some of those include cloud-based email providers such as Google Workspace and Microsoft Office 365.

With more than 4,000 customers and nearly 70,000,000 emails secured per month, you can entrust your healthcare email to HITRUST CSF certified Paubox products. And our team consistently ranks 5 stars for customer service. We are here to serve healthcare.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.