25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

How the HIPAA Omnibus Final Rule Applies to E-mail Communication with Patients

The Omnibus Final Rule was introduced at the start of the year and covered organizations – which now include business associates and their subcontractors – now need to update procedures and policies to comply with the new regulations if they have not already done so. The deadline for compliance with the new rule is September 23, 2013 and any covered entity found not to have implemented the required changes after this date could incur a financial penalty up to $1.5 million.

The new changes have been criticized by some members of the healthcare community; however the changes are necessary in order to improve the rights of patients to access their medical data. The Omnibus Rule now allows them to have much greater autonomy and make decisions about how their medical information is communicated to them.

If a patient is comfortable receiving information via E-mail this has previously presented a problem for healthcare companies. E-mails can be intercepted, the emails are often stored unsecured servers – where they can remain indefinitely – and there is no guarantee that the intended recipient will be the only person to read the E-mail. Sending unencrypted E-mails containing PHI would violate HIPAA regulations.

However under the new rule, patients are able to be sent unencrypted E-mails containing their PHI if they so wish, provided that they have been informed of the risks. If a healthcare provider explains to the patient that E-mail is not totally secure and there is a chance that their data could be viewed by other people the patient can be sent E-mails. Patients are permitted to take risks with their own data. Healthcare organizations are not.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Should any patient elect to receive unencrypted E-mails it is strongly advisable to have the authorization in writing. While this is not stated explicitly in the legislation as being mandatory, it would be unwise to send any PHI without having documentation to prove that the patient has been informed of the risks. Permission must be obtained prior to sending the E-mail. It is still not permitted to send E-mails under an opt-out policy. Patients must opt-in to receive electronic communications.

To what extent do the risks need to be explained? According to a statement issued by the DHSS in 2013, “We do not expect covered entities to educate individuals about encryption technology and the [sic] information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.”

It is important for healthcare organizations to be familiar with State laws on E-mail containing PHI. HIPAA makes some provision for E-mail communication, although some States impose tougher restrictions to control the release of patient data. State laws will apply when they increase the protection offered under HIPAA, with the Omnibus Final Rule considered to be a minimum national standard only.

It should be borne in mind that regardless of what a patient requests, electronic communications must not be sent unless a business agreement is in place with the provider of the service. Under the Omnibus Rule, all business associates must agree to comply with HIPAA Privacy and Security Rules and a business agreement must be signed. If no current business agreement is held, a message containing PHI that is sent to a patient via Skype, for example, would be a HIPAA violation even if the patient knew the risks and signed a document to that effect prior to the message being sent.

The new rule may not be the easiest to implement and it could have considerable cost implications for some healthcare organizations; however the legislation is necessary to ensure patient data is properly protected and patients should be allowed to make decisions about their data and be given greater access if required.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist