Is it HIPAA-compliant to send condition and exercise reports to patients via email?

Yes, covered entities are permitted to transmit electronic protected health information (ePHI) via email as long as reasonable and appropriate safeguards are taken.

What does HIPAA say?

The HIPAA Privacy Rule allows covered entities to use email to communicate with their patients. However, the Privacy Rule requires covered entities to implement appropriate safeguards when emailing ePHI to patients. According to the Office for Civil Rights (OCR): 

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.

The HIPAA Security Rule generally requires covered entities and business associates to "implement technical security measures to guard against unauthorized access to [e-PHI] that is being transmitted over an electronic communications network." (See 45 CFR 164.312(e)(1)). According to the OCR:

The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR 164.312(a)), integrity (45 CFR 164.312(c)(1)), and transmission security (45 CFR 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. 

To be in compliance with the Security Rule, the electronic transmission of ePHI must be secured.

What does ChiroUp do?

1. ChiroUp encrypts all outgoing emails via Transport Layer Security (TLS). TLS is a cryptographic protocol that provides end-to-end security of data sent between applications over the internet. 

2. ChiroUp supplies a record of any communications sent to the patient that is located in the patient record.

3. ChiroUp requires each patient to accept the HealthCom.io terms of use before accessing their subsequent condition reports and exercise plans. However, this occurs after you send the initial email.

What are your responsibilities as a subscriber?

1. Ensure you have input the correct email for the patient before sending a report.

⚠️ HIPAA does not apply outside of the United States. Please research your country's laws if you are outside of the United States.

Was this article helpful?

Have more questions? Contact us