3. Emailing Patients
Q: What type of information can we email to patients? For example, is it permissible to email appointment reminders? Also, I am unsure whether to include the information in the body of the email or in an attachment.
A: CEs can send appointment reminders to patients via unencrypted email as long as the CE sending the reminder is not a specialty practice, such as a mental health practitioner, because that will reveal the condition of the patient if someone intercepts the email. Any PHI may be sent to the patient as long as the email is encrypted—in the body of the email and as an attachment.
The Omnibus Rule specifically permits healthcare providers to communicate with patients using unsecure email as long as the patient is made aware of and accepts the risks before an email containing PHI is sent. Meaningful Use Stage 2 takes security a step further and requires hospitals, critical access hospitals, and eligible healthcare professionals to implement secure email so the provider and the patient can communicate securely.
In the end, if PHI is included in an unencrypted email and the email is intercepted, the PHI may be compomised and the incident may be reportable to the individual and OCR.
Revised: 5.25.17
Return to FAQ List
|