The Security Rule doesn’t prohibit the use of email, but you must have policies and procedures in place to make sure the patient information is adequately protected, and if encryption is reasonable and appropriate to protect patient information that you’re sending electronically, you must encrypt. If you decide not to encrypt, you must document your decision and the reasoning behind it. Thus, if you are sending identifying information along with the image, including any part of the patient’s name, address, date of birth, phone number, or any other data element that is considered a HIPAA “identifier,” sending an unencrypted image via email might put the patient information at risk of a breach.
Please consider using an encryption service, such as the ADABEI-endorsed PBHS Securemail or a Direct Accredited Health Information Service Provider (HISP), for sending Protected Health Information (PHI).
You may send unsecured email containing PHI if a patient has been informed of the risks and directs you to do so regardless. Document the request carefully and honor your patient’s wishes.