Skip to main content
All CollectionsCompliance and RegulationHIPAA Compliance
Being HIPAA compliant with electronic communications
Being HIPAA compliant with electronic communications

HIPAA and electronic communication

Written by Dylan Kulesza
Updated over a week ago HIPAA Compliance Inc. was independently audited using the industry standard SOC 2® Type 2 method that included HIPAA components resulting in a CPA’s report stating that the management of maintained effective controls over the Security, Availability, and Confidentiality AICPA Trust Services Criteria and HIPAA Security Rule of its System. The engagement was performed by BARR Advisory, P.A. (See the official letter below.)

The Privacy Rule

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 CFR § 164.530(c). For example, you need to take certain precautions when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending or sending an e-mail alert to the patient for address confirmation before sending the message.

The Security Rule

This does not expressly prohibit the use of e-mail for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. 

The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. These specifications mean that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an open electronic network as long as it is adequately protected. 


On May 11, 2023, the United States public health emergency (PHE) will come to an end. For telehealth providers, one major change will be the end of HIPAA enforcement discretion. That means providers must use HIPAA-compliant telehealth software and follow best practices when conducting telehealth communications.


An individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 CFR § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated. 

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

If you have any other questions, please contact our support team.

Did this answer your question?