Email is a convenient, quick and effective communication tool. Just about everyone has an email address (or several email addresses) and we are all familiar with how it allows people to rapidly share written communication.
The vast majority of email sent over the internet is not encrypted. In general this is not a major issue for most communication, but it does present a risk for protected health information (PHI).
The best analogy for the relative privacy of an email is that of a postcard sent via snail mail (US Post). The message on a postcard (and on an email) is designed to reach and be read only by the recipient but since the message is not in a secured envelope, anyone who handles the postcard can view the contents. Most who handle the postcard do not really care about the content and will simply do their respective role in getting the postcard delivered, but the message is readable by anyone who handles the postcard.
The same is true of unencrypted email. The email message may pass through one or more mail exchangers on the way to its destination. During this transit, it is viewable to the mail exchanger and the administrators of those email exchangers. On a practical basis, those mail administrators really have little or no interest in the content of those emails. Their role is to get the email to it’s intended destination and there are likely tens of thousands if not millions of emails passing through their networks on a daily basis. That said, those who handle the email could read the contents of the unencrypted email if they desired.
Unencrypted email may also be viewable once it arrives at the destination. For example, email on an employers server is likely readable by the administrators and managers of the company.
There is also the risk that malicious parties may be targeting protected health information and trying to intercept emails. The relative risk is likely small, however it is a very individual decision to determine if you are comfortable with that risk. It is generally best to assume that anything sent or received via email is readable by a 3rd party.
We take patient privacy very seriously at Specialty Natural Medicine. We employ encryption for all internal data communication. We use strong passwords for all services that host protected health information and encrypt the data locally and on all network services, including 256-bit encryption on backup data.
Our policy is to limit email communication to patients to areas like scheduling and other logistical planning unless we receive a request from patients for medical information or advice via email. We limit these communications to directly answering patient questions with the understanding that if patients initiate the communication then they understand the risks associated with email communication of health information. This communication is limited to basic questions around your treatment plan, scheduling billing, etc. We will not release lab results or other highly sensitive health information via email without a patient signed release.
It is our policy and your right to request that health information not be communicated via email. We have the ability to communicate via a secure patient portal or by phone if that is a patient’s preference. This does improve the security of communication, but at the expense of convenience as encrypted electronic communication requires patients to sign into a separate web portal to retrieve messages from our clinic. Patients also have the right to opt out of any and all email sent by our Electronic Health Records (EHR) system, including appointment reminders.
Either way, we wish to give patients an informed choice of how to work with and communicate with us to help them achieve their wellness goals.
We will respond to patient emails requesting information, generally without requiring a release. Your request for information via email signifies that you wish us to respond via email and understand the risks associated with email over the internet. We do ask for signed releases when patients request lab results, chart notes or other highly detailed medical records over email.
More information on the risks and rights associated with email communication are available at the US Department of Health and Human Services Website:
http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html
