1.  E-mailed Receipts

Posted 06-19-2017 03:04 PM

We are exploring an opportunity to email receipts to patients.  If the only identifying information is our name/logo, payment amount, patient name, partial medical record number, and account number, is it necessary to have the email encrypted?  Thoughts?



Stacey Barrett




The materials in this e-mail are private and may contain Protected Information. Please note that e-mail communication is not encrypted by default. You have the right to request further emails be encrypted by notifying the sender. Your continued use of e-mail constitutes your acknowledgment of these confidentiality and security limitations. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying, distribution, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender via telephone or return e-mail.

2.  RE: E-mailed Receipts

Posted 06-19-2017 03:32 PM
The list you provided constitutes PHI to a Covered Entity so therefore under HIPAA, I would say encryption (or an equivalent alternative) is required, unless you have received written acknowledgement of the risks from the client not to send it in an encrypted format.

David Rothery, CHC
Compliance Officer
Marin County, CA

These are my personal opinions and not those of the County of Marin

3.  RE: E-mailed Receipts

Posted 06-19-2017 03:37 PM
I agree with David's response.

Julie Sours, MHA, CPCO, HCISPP
Senior Associate, Information Security and Privacy
Heartland Alliance for Human Needs and Human Rights
Chicago, IL

The views expressed herein are my own and do not represent those of my employer.

4.  RE: E-mailed Receipts

Posted 06-19-2017 03:54 PM
It looks like that is PHI.  One way around the encryption is to have the patient request or authorize you to e-mail it unsecurely.

David Garrison CHC,CHPC
Compliance/Privacy Officer

5.  RE: E-mailed Receipts

Posted 06-20-2017 08:44 AM
​I don't know the answer to this but wanted to raise a related question since I think more providers are facing the issue of email and text of PHI for routine communications like appointment reminders and receipts.  If the Notice states that email/text may be used for communications and the patient provides their email or text at registration - is encryption really needed?  Is the act of providing their email or mobile number implied consent?  Is this similar to Right of Access where a patient may decide to have their records sent by email unencrypted?  Ideas?

Andy Reeder, CHPC, CISSP
Director, HIPAA Privacy and Security
Rush University Medical Center
Chicago, IL

6.  RE: E-mailed Receipts

Posted 06-20-2017 12:13 PM

I agree with others on the original question be careful using e-mail unless specifically requested by the patient.


Andy I would think that just because a patient provides their cell or e-mail information would not meet the requirement to insure the patient is aware of the risks of utilizing such media for unsecured communications, unless the consent form includes that language.




Sherrie A. King

Compliance Auditor

Appalachian Regional Healthcare System



Compliance Hotline: 1-800-656-7743



Them has left the building, it's just Us.


"Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us."

Marianne Williamson


This document may contain information covered under the Privacy Act, 5 USC 552(a), and/or the Health Insurance Portability and Accountability Act (PL 104-191) and its various implementing regulations and must be protected in accordance with those provisions. Healthcare information is personal and sensitive and must be treated accordingly. If this correspondence contains healthcare information it is being provided to you after appropriate authorization. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Redisclosure without additional patient consent or without legal basis is prohibited. Unauthorized redisclosure or failure to maintain confidentiality subjects you to application of appropriate sanctions. If you have received this correspondence in error, please notify the sender at once and destroy any copies you have made.


7.  RE: E-mailed Receipts

Posted 06-21-2017 01:47 PM

I agree with Sherrie and David. I don't think you can rely on any theory of implied consent here. As I read HHS's comments on the security rule, patients have to be notified that there is "some level of risk" before sending them PHI by unencrypted e-mail.

Randall Holbrook
Sr. Compliance Attorney
LegalResearch.com - Legal Research Center, Inc.

8.  RE: E-mailed Receipts

Posted 06-20-2017 01:48 PM
Andy, I think there is probably implied consent to use their e-mail or cell phone number if they are told it will be for appointment reminders.  I'm not sure it's implied consent to use it unsecurely, unless they are informed.  We are dealing with this issue now.  We are trying to put a script together for our schedulers to inform patients that we will send them an unsecure e-mail or text for an appointment reminder if they provide us their information (we have to do this for each appointment they schedule).

Something I'm thinking about is whether to revise our "appointment reminder" statement in our NoPP to say something about unsecure e-mailing or texting for appointment reminders.

David Garrison CHC,CHPC
Compliance/Privacy Officer

9.  RE: E-mailed Receipts

Posted 06-21-2017 07:59 AM
If at all possible,  please utilize a patient portal as much as you can and discourage the use of email communication with your patients.

I've seen too many cases where a patient turns a medical organization upside down (with reporting directly on HHS website) over sending an email  (even encrypted) with diagnosis, test results, etc.