Health Information Management

HIPAA Q&A: You’ve got questions. We’ve got answers!

HIM-HIPAA Insider, February 23, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at and we will work with our experts to provide you with the information you need.

Q: What type of information can we email to patients? For example, is it permissible to email appointment reminders? I'm wondering what sort of PHI the email can include and what we should omit. Also, I am unsure whether to include the information in the body of the email or in an attachment.
A: CEs can send appointment reminders to patients via unencrypted email as long as the CE sending the reminder is not a specialty practice, such as a mental health practitioner, because that will reveal the condition of the patient if someone intercepts the email. Any PHI may be sent to the patient as long as the email is encrypted—in the body of the email and as an attachment.
The Omnibus Rule specifically permitted healthcare providers to communicate with patients using unsecure email as long as the patient is made aware of the risks before an email containing PHI is sent. Meaningful Use Stage 2 takes security a step further and requires hospitals, critical access hospitals, and eligible healthcare professionals to implement secure email so the provider and the patient can communicate securely.
In the end, if PHI is included in an unencrypted email and the email is intercepted, it is a breach of unsecure PHI and may be reportable to the individual and OCR.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular