Part of your HIPAA security plan should govern the use of emails and what information can and cannot be transmitted via emails, faxes, and the Internet. This can be addressed with an Internet Usage Policy, that should be part of your physician office’s HIPAA Security Compliance Plan.
The bottom line is that confidential information “can” be included in an email if it is encrypted or password protected. For example, you could email patients lab results, but those lab results should be in a password-protected attachment, or be in the form of a link to a website that the patient needs a password to access. The password could be as simple as the first five digits of the patient’s social security number or their Mother’s maiden name.
Be sure to speak to our computer network consultant or IP staff person about solutions you can put in place to prevent health information or financial information from plainly appearing within an email.