Sending Protected Health Information (PHI) by email exposes the PHI to two risks: The email could be sent to the wrong person, usually because of a typing mistake or selecting the wrong name in an auto-fill list. The email could be captured electronically en route. HIPAA requires that we take reasonable steps to protect against these risks but acknowledges that a balance must be struck between the need to secure PHI and the need to ensure that clinicians can efficiently exchange important patient care information.
Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? Answer: Yes.