Beware HIPAA pitfalls in emailing patients




WAIKOLOA, HAWAII – Emailing patients must be done with care in order to avoid potentially treacherous medicolegal problems under the Health Insurance Portability and Accountability Act, Dr. Whitney A. High said at the Hawaii Dermatology Seminar provided by the Global Academy for Medical Education/Skin Disease Education Foundation.

And as for exchanging conventional texts with patients, colleagues, or staff, forget about it. Texting is a flat out terrible idea if the message includes anything defined under HIPAA as protected health information – and HIPAA’s definition is surprisingly inclusive, according to Dr. High, director of dermatopathology at the University of Colorado and a nonpracticing attorney who follows medicolegal issues closely. HIPAA is no longer the toothless paper tiger it was in the early years after the legislation’s passage. The HITECH Act of 2009 and the HIPAA Final Omnibus Rule of 2013 beefed up the financial penalties for HIPAA violations and allowed state attorneys general to enforce the law, not just federal officials. The revisions also reversed the burden of proof for breaches of HIPAA such that when protected health information gets mishandled, it’s automatically assumed that harm resulted. It’s up to the physician or health plan to prove otherwise.

Dr. Whitney A. High Bruce Jancin/Frontline Medical News

Dr. Whitney A. High

For example, when an employee at a New England dermatology practice lost a flash drive containing before-and-after images from several thousand Mohs micrographic surgery procedures, the practice was fined $250,000 under HIPAA, even though there was no indication that the missing information had ever been published or misused in any way, Dr. High noted.

Under HIPAA, health information is protected if it’s identifiable. And the patient’s name needn’t be mentioned for that to be the case. A birth date, Social Security number, email address, medical record number, account number, website address, vehicle identifier, full-face photo, image of an unusual tattoo or birthmark – that’s all potentially identifiable and therefore protected information.

Dr. High recalled that while in law school, he had a professor who used to say that if you want your pants to stay up, the surest way is to use both a belt and suspenders.

“I’m a belt and suspenders guy. I practice dermatology that way,” he said by way of explaining his own cautious, multisafeguard approach to medicolegal self-protection in the Internet age.

“Unencrypted email is a morass,” he cautioned. It’s vulnerable to compromise at multiple points during a message’s transmission, receipt, and storage on a server. For that reason, a physician who emails patients should use email that’s encrypted “at rest”, meaning the server is encrypted and a Business Associate Agreement exists with the email provider. Even so, if the patient’s email is not encrypted there is the possibility of unauthorized access by a third party, so it’s advisable to obtain a written acceptance of this risk from the patient before responding to any medical questions the patient might pose electronically.

Dr. High and other providers in the University of Colorado system utilize a “patient portal” built into the group’s website. They can send encrypted emails to patients there. An alert about the message is sent to the patient’s unencrypted email, so the patient can go to the portal and read the secure email after creating an account and logging on.

Other secure options for email include RelayHealth (, Pretty Good Privacy (, Neocertified (, and Zixmail (, although Dr. High noted he has no personal experience with any of those companies.

Sending out appointment reminder emails to patients without their permission in an effort to cut down on no-shows is a HIPAA violation. The correct, HIPAA-approved way to do this is to proactively get the patients’ written permission to receive such reminders, along with the email address where they’d like them to be sent and their acknowledgment that the reminder message could be intercepted if their email isn’t encrypted. That’s the belt-and-suspenders approach, Dr. High noted.

Most text messaging systems do not provide encryption. Thus, it’s not possible to safely send protected health information by text message. The only way to do so is to purchase the use of a pseudo–text messaging service such as Tiger Text (, QliqSOFT (, or Spok (, the dermatologist continued.

It’s important to understand that patients aren’t covered by HIPAA. They can email their physician with photos of a skin lesion, information about a change in their symptoms, or anything else without consequences under HIPAA. But if the photos or other data provided electronically by the patient are used in medical decision making, then that email must get incorporated into the electronic health record. Like the rest of the EHR, that email needs to be kept for 10 years and must be available on demand. In the event of a malpractice allegation, a physician will be on shaky ground if he says he based his medical decision on information provided in a patient’s email which no longer exists, Dr. High said.


Next Article: