New HIPAA rules which go into effect on March 26, 2014, may impact email communications with patients, according to an article published at ADA.org.
The United States Office for Civil rights, which enforces the HIPAA privacy rules, offers responses to frequently asked questions about communication of protected health information.
In addressing the question:
Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
The US Department of Health and Human Services states that the Privacy rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Additionally, HHS addresses the following questions of: