Are you using a free email service in your practice? This includes Yahoo, gmail, hotmail,, etc., just to name a few. If you are…stop! These are not secure ways to send email and should not be used in your practice. They are unencrypted and dangerous.

Rules for Sending Emails

This issue has been debated time and time again. Here is short summary that I hope can help you when deciding when to send emails from your work account.

Encrypted e-mails containing ePHI can be sent outside of your network to other HIPAA Covered Entities for the purposes of Treatment, Payment, or Healthcare operations. If sending to a Business Associate (BA), the BA must have a signed Business Associate Agreement with you and also must have implemented a full HIPAA compliance program.

The only exception to sending unencrypted ePHI is if a patient requests that you send their medical records to their personal email account. You must document the request and explain to the patient that their email service is not secure. If they still want the records sent to their unsecure email you should document that you warned them and that they still want the records emailed to them. Once properly documented, when you sent the patient their records you are not responsible for the security of the email.

Free Email Service

Free email service is very confusing to patients, vendors and other providers. It is best to send email directly from your domain name. It looks more professional and you can control it better. You can encrypt free email service, but then again, it’s still free. You don’t need to use it!