A Look at Email and HIPAA

Disclaimer: I am not a lawyer and do not offer legal advice. The others quoted in this post are offering general information or interpretation and not specific legal advice or any statement of fact.

For more background on this topic, check out my previous post “Practice Fusion Violates Some Physicians’ Trust in Sending Millions of Emails to Their Patients

When I first started looking into the millions of emails that Practice Fusion was sending to patients, doctors were suggesting that these emails constituted a HIPAA violation. Practice Fusion has responded in my previous post that “The patient email reminder and feedback program is absolutely HIPAA compliant, under both the current and new Omnibus rules. We conduct thorough compliance research with every single new feature we launch.” I wanted to explore the HIPAA concerns regarding emails like these, so I talked to a number of HIPAA lawyers and experts. I believe the following look at HIPAA and emails will be informative for everyone in healthcare that’s considering sending emails.

Before I go into a detailed look at sending emails to patients, it is worth noting that under HIPAA emails can be sent to patients by doctors if the doctor has used “reasonable safeguards” and patients have agreed to email communication with their doctor. The following is a great HHS FAQ on use of email and HIPAA where this is outlined.

This leaves three HIPAA related questions:
1. Is Practice Fusion legally allowed to use the information in their EHR to send these emails?
2. Does the email contain Protected Health Information (PHI) that is being sent in an unsecured and not encrypted email?
3. Can Practice Fusion publish the provider reviews on their website?

Is Practice Fusion legally allowed to use the information in their EHR to send these emails?
The core of this question is whether the Practice Fusion user agreement (the version publicly available on the Practice Fusion website) allows the use of patient data contained in the Practice Fusion EHR for sending out these emails. Following are comments from William O’Toole, founder of the O’Toole Law Group regarding the user agreement:

I am not providing specific legal advice or opinion here, and I have no strong feelings about Practice Fusion one way or the other. That said, I find this issue extremely interesting and hope I can provide some direction and some interpretation of the law. Capitalized terms are defined under HIPAA and by now are familiar to all, so I will not define or elaborate.

The Practice Fusion Healthcare Provider User Agreement includes a section that, as between Practice Fusion and its customers, grants Practice Fusion the right to use a provider’s PHI (though I argue it is not the provider’s, it is the provider’s patients’ PHI, but I digress) to contact patients on the provider’s behalf, for various purposes, including “case management and care coordination” which is legally permitted. The conclusion can be easily drawn that Practice Fusion (or any other vendor doing the same) relies on this connection in claiming that its patient email is permitted under this section of the law, even if it contains PHI. Note – the topic of secure email is left out of this discussion.

Based on the user agreement, it seems like Practice Fusion is allowed to send out these rating and review emails to patients. William O’Toole does offer a reminder for providers:

For those of you that are familiar with my writings, you know what comes next. The Practice Fusion agreement clearly puts provider customers on notice that Practice Fusion has the right and option to contact patients directly on the provider’s behalf. The providers agreed when they accepted the terms of use. The most important piece of advice that I can offer to all providers is to read and understand the agreements to which you will be bound, or more appropriately, give the agreements to a healthcare technology attorney for review and opinion.

This is an important message for all providers to read and understand the user agreements they sign.

Does the email contain PHI that is being sent in an unsecured and not encrypted email?
You can see the contents of the ratings emails here (Note: The masked area is the name of the physician). Here’s Mac McMillan’s, CEO of CynergisTek and Chair of the HIMSS Privacy and Security Task Force, analysis of the emails:

The issue here is whether or not by the information included you can discern any protected information about the individual(s) involved. On the surface the email appears benign and does not include any specific Protected Health Information (PHI) and if coming from a general practitioner it would be near impossible to guess let alone determine for sure the purpose of my visit or my medical condition. Meaning I could have gone there for something as simple as a checkup, to refill a prescription, or I could have gone there for treatment of some ailment, but you don’t know and can’t tell by this simple email. Some would argue that this is no different than when Physicians communicate with their patients now via regular mail or email. The problem though is that not everyone may agree with this, and the consumer who may not be thinking rationally may take issue under certain circumstances. For instance, what if the email came from Planned Parenthood to a seventeen year old, or an AIDS clinic, or a specialty center handling a certain form of cancer, or a psychiatrists office? In these cases just the name and the identity of the covered entity potentially provides insight into the individual’s medical condition and therefore their personal health information. A patient might, whether legitimate or not, attempt to make the case that their privacy has been violated if others were to see this email who were not intended to like other family members, neighbors, employers, etc. I think this is really stretching it, but who knows how a Privacy attorney might see it?

Can Practice Fusion publish the provider reviews on the Patient Fusion website?
Assuming that Practice Fusion is authorized to contact its users’ patients, the next question is whether it is authorized to publish their responses online. When patients are posting a review, they have to agree to the terms of the “Patient Authorization.” Within that authorization it seems that Practice Fusion has done a good job making sure that they are getting authorization from the patient to publish the reviews they’ve submitted. David Harlow, a health care attorney and consultant at The Harlow Group LLC who blogs at HealthBlawg. notes that in addition to the Patient Authorization, “The Terms of Use on the PatientFusion.com review website make clear that posts on the site may be made public, and should not contain information that a patient would not want to be made public, or that a patient does not have the right to post.”

Hopefully this discussion around emails in healthcare will help more companies understand the intricate HIPAA requirements for email communication with patients. I see email communication increasing over the next couple years as more doctors realize the benefit of it. Plus, a whole new generation of patients wants that type of communication with their provider. We just have to make sure that we continue to respect patient’s privacy in the process. Making sure your emails are HIPAA compliant is not a simple task.

Practice Fusion sent me the following comment:

Practice Fusion’s goal is to create transparency in healthcare without compromise. It is critical that patients seeing any doctor on our platform understand the quality of their doctor. And, therefore, doctors using our free online scheduling application are required to make their reviews available to the public. Practice Fusion offers the only service on the market that validates a patient review was based on an actual visit. No PHI is ever shared in these communications.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • In addition, Practice Fusion is in violation of the new HIPAA Omnibus because the pharma ads directly adjacent to the patient’s encounter note are intended to influence the physician’s decisions. The patients however did not explicitly consent to this.

    When something online is offered to you for free, you are not the customer, you are the product.

  • I say again, the ad supported business model for an EHR makes no sense.

    As far as PF contacting patients, I’ve not looked at the user agreement, as I’m sure not a single user of the system has…

    With that, I would be surprised if PF didn’t cover their butts to ensure this was legal.

  • Just saw this. Was wondering when this was coming out. I think the emails are more of a problem for them then this implies, but hopefully they will do a better job now of informing people and be on notice.

  • I think email in general is a slippery slope for patient communications, so it’s important for practices to cover their butts and make sure they aren’t dinged for HIPAA violations, but also anti-spam laws (especially when ads are involved).

  • What if we hired an office to do our credentialing for one of our new doctors and they sent via email all the provider ID numbers which included NPI and SSN, along with passwords to get into the website per insurance. is that considered a HIPAA viloation? Or are the patients the only one protected?

Click here to post a comment