Physician Practice

Q&A: You’ve got questions! We’ve got answers!

Physician Practice Insider, November 29, 2016

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: Is it acceptable to send an unencrypted email containing protected health information (PHI) provided it's sent to only the intended recipient and is not accidentally sent to the wrong person? Some staff don't feel it's necessary to encrypt emails that are sent to only one individual because they feel it's easier to check the single email address and less likely that they might accidentally include the wrong person on the email.

A: It is not acceptable to send unencrypted email containing PHI even if it's only to an individual. HHS noted in the preamble to the HIPAA/CLIA bill that the encryption of email containing PHI is a reasonable safeguard and therefore, the only exception that HHS considers acceptable when it comes to the encryption of email is when the individual requests the email not be encrypted and the covered entity has explained to the individual the risks associated with transmitting PHI unencrypted. The email address may be right, but that doesn't stop hackers from intercepting the email using, among other methods, a man-in-the-middle attack, which would represent a breach of unsecure PHI.

Editor’s note: Chris Apgar, CISSP, answered this question for Briefings on HIPAA. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your questions to Associate Editor Nicole Votta at

Most Popular