Physician Practice

Q&A: You’ve got questions! We’ve got answers!

Physician Practice Insider, April 5, 2016

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: Are emails that contain PHI specifically required to be encrypted under HIPAA?

A: HIPAA does not mandate encryption. Encryption of the transmission of PHI is an addressable implementation specification. That means covered entities (CE) and business associates (BA) are required to encrypt transmissions, implement a similar security control, or have a good, heavily documented reason for not encrypting emails.

That said, the preamble to the HIPAA Omnibus Rule hints at the requirement to encrypt, and the HIPAA/Clinical Laboratory Improvements Amendments rule that was published in February 2014 clearly states that encryption is a reasonable safeguard. In other words, the enforcement agency, in this case OCR, is saying that encryption is required for email transmissions. While the security rule lists encryption as addressable, that is not the way it is being enforced.

There is only one exception to the encryption mandate. If a patient requests his or her healthcare provider communicate via unsecure email, that's permissible as long as the risks associated with unencrypted email are explained to the patient before sending an unencrypted email to the patient. The request should be in writing and should be retained. It is not a sound security practice, but it is allowable.

Editor’s note: Chris Apgar, CISSP, answered this question for Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific questions.

Most Popular