Dental practices may have questions about how to use email and whether they should encrypt emails that contain any patient information. HIPAA doesn’t prohibit emailing patient information in an unencrypted form, although in order to do so covered dental practices must:
- Include email in the written security risk analysis
- Have reasonable safeguards to protect patient information in emails
- Send breach notification if emailed patient information is compromised
- Honor certain patient requests for unencrypted email
Security Risk Analysis. In general, the written security risk analysis must take into account all of the dental practice’s electronic patient information, such as electronic dental records, digital radiographs, and email. The dental practice must assess where the information is vulnerable, the threats to the information, and the likelihood and severity of the risk of compromise. The dental practice must implement risk management to bring the identified risks to a reasonable and appropriate level.
Reasonable Safeguards. Examples of reasonable safeguards may include checking the e-mail address for accuracy before sending, or limiting the amount or type of information that may be sent in an unencrypted e-mail.
Breach Notification. If unencrypted patient information is compromised, a dental practice must send breach notification. For example, if a dental practice sent an email containing unencrypted information about a patient to the wrong email address, the dental practice would likely have to notify the patient of the breach, and include information about the incident in the breach log that it submits annually to the federal Office for Civil Rights. Breach notification would also be required if the patient information was encrypted but the password or decryption key was compromised. Information about HIPAA breach notification is available on the ADA website and the Office for Civil Rights website.
HIPAA may require a dental practice to honor a patient request to send his or her patient information via email if, for example, a patient asks the dental practice to communicate with him or her via email and the practice determines that the request is reasonable, or if a patient asks the dental practice to send his or her electronic dental or payment records in an unencrypted email, and still insists after the dental practice has warned of the risk. Similarly, HIPAA may require a dental practice NOT to send information via email if a patient so requests.
Every dental practice is different, and each practice must make decisions about email based on its own risk assessment. For example, some practices might decide to use a secure email service some or all of the time. Other practices might decide not to use email at all, unless HIPAA requires them to do so.