Information Privacy and Security

Emailing Patient Information

Can patient information be sent through email?

HIPAA does not prohibit sending patient information through e-mail; however, HIPAA does require that you take reasonable precautions to protect the confidentiality of patient information and encrypt the information where appropriate. Due to the privacy and security risks that exist with using e-mail for communication, 
we recommend that you avoid sending patient information in an e-mail if there is another reasonable alternative that can be used. If it is necessary to send patient information by e-mail, it should be limited to only that information which is necessary. 

We recommend not including patient names when possible and using medical record numbers instead, just in case the e-mail is accidentally sent to the wrong person. Also note:  Any e-mail messages going outside of the organization are not encrypted and have the same effect as sending information through the mail on a postcard. 
Please see Policy:  Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information - OP 10-40.37 

This page was last updated December 6, 2011 and is maintained by