570-The HIPAA Privacy Rule and email communication with patients

Featured image

Share this article

570 HIPAA privacy rule

Patients want their healthcare providers to use email to communicate with them. It is the quickest and easiest way for patients to get information. However, HIPAA regulations make it difficult for healthcare providers to use email to discuss health issues and treatment with their patients unless they use a secure email provider. In this blog post, we will explore whether or not 570 The HIPAA Privacy Rule and email communication with patients is possible.

Should I email my patients?

Patients want their healthcare providers to use email to communicate with them for a variety of reasons. First, email is the quickest and easiest way for patients to get information from their providers. Second, email allows patients to keep a written record of their healthcare discussions. That record can be helpful if they need to refer back to the information at a later date. Finally, email communication between healthcare providers and patients is often more convenient than other forms of communication.

Does the HIPAA Privacy Rule allow me to email my patients?

Despite the fact that patients want providers to use email to communicate with them, HIPAA regulations make it difficult for healthcare professionals to do so. The HIPAA Privacy Rule prohibits healthcare providers from disclosing protected health information (PHI) to individuals outside of the organization without the patient’s consent. However, email is considered an “unsecured” means of communication. That means that PHI could potentially be accessed by unauthorized individuals if it is sent via email. As a result, special precautions must be taken to ensure that PHI is not disclosed via email unless the patient has consented to such disclosure.

Secure email providers make email HIPAA compliant

One way to comply with HIPAA when using email to communicate with patients is by using a secure email provider. Secure email providers encrypt emails so that only the intended recipient can access the PHI contained within the email. This means that even if an unauthorized individual were to gain access to the email, they would not be able to read the PHI contained within it. Secure email providers typically charge a monthly fee, but this fee is often worth it for healthcare providers who need to use email to communicate with their patients.

Read more: Four steps to send HIPAA compliant email

What does HHS have to say about 507-HIPAA Privacy Rule and email?

HHS states:

The Privacy Rule allows covered healthcare providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between healthcare providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.


Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.


Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

Source: https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html

In conclusion, HIPAA permits healthcare providers to use email to discuss health issues and treatment with their patients. However, special precautions are needed to ensure that PHI is not disclosed without the patient’s consent. Healthcare providers can use secure email providers or encryption to protect PHI when sending emails to patients.

Send and receive PHI with HIPAA compliant emails

With the increasing cybersecurity risks in today’s environment, maintaining HIPAA compliant communications among healthcare providers, specialists, facilities, and patients is vital. Everyone uses email, but most HIPAA compliant email solutions are complicated and difficult for both providers and patients.

Now there’s an easy way to eliminate the hassle and still have HIPAA compliant email. Paubox offers the easiest way for healthcare organizations to send and receive secure messages and attachments that comply with the protected health information (PHI) requirements of HIPAA.

Paubox integrates into email services that physicians, administrators and patients already use every day. Some of those include cloud-based email providers such as Google Workspace and Microsoft Office 365.

With more than 4,000 customers and nearly 70,000,000 emails secured per month, you can entrust your healthcare email to HITRUST CSF certified Paubox products. And our team consistently ranks 5 stars for customer service. We are here to serve healthcare.

Author Photo

About the author

Anne-Marie Sullivan

Read more by Anne-Marie Sullivan

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022