When Should Transmission of ePHI by Text or Email Be Encrypted?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


This article covers the transmission of patient ePHI under several scenarios. A covered entity provider must determine which scenario (if any) applies to the transmission of ePHI that is at issue, and apply the rules associated with the scenario.

Scenario 1: A patient requests their own PHI from their provider, for the patient’s personal use. 

Scenario 2: A patient requests that their provider send the patient's PHI to another doctor or another individual.

Scenario 3: The provider, on its own initiative, intends to send a patient's PHI to another provider for treatment purposes.

Scenario 4: The provider wants to send PHI, such as appointment reminders, to a patient by text or email.

Generally, in scenarios 1 and 2, the HIPAA right of access rule applies. Under the rule, the doctor may send ePHI to the patient (or to the doctor to whom the patient wants the information sent) unsecurely (unencrypted), but if (and only if) certain conditions are met.

Scenario #1: Generally, under the HIPAA "right of access rule," an individual has a right to receive a copy of their PHI by unencrypted email or text if the individual requests access in this manner. In such cases, the covered entity, before transmitting the ePHI to the patient, should provide a written warning to the individual that the transmission is not secure, and that there is some level of risk that the individual’s ePHI could be read or otherwise accessed by a third party while in transit. The provider should have the patient sign the written warning - that is, provide written consent to the transmission. Then the provider may send the transmission to the patient. 

Say, for argument’s sake, that the unencrypted email is intercepted in transit. Is the covered entity liable? Generally, no. While covered entities are responsible for adopting reasonable safeguards in implementing the individual’s request (e.g., entering the correct email address and not the address of a different patient), covered entities are not responsible for an interception of PHI in transit to the individual, if the disclosure was made in response to an individual’s access request to receive the ePHI in an unsecured manner (assuming the individual was warned of and accepted the risks associated with the unsecured transmission, as described above).

Scenario #2: In scenario #2, the patient makes a request to their provider that his or her ePHI be sent from that provider to another doctor. The general rule here: If the patient requests that the PHI be sent to another doctor by unencrypted email or in another unsecured manner, the covered entity generally must comply with the request. The request to have the ePHI sent to the other doctor is viewed by HHS as an extension of the patient’s right to access his or her own PHI. Before sending the ePHI, the covered entity must, as detailed above, provide a brief, written warning to the individual that there is some level of risk that the individual’s ePHI could be read or otherwise accessed by a third party while in transit, and confirm in writing that the individual wants to receive her ePHI by unencrypted email or text. Once the patient provides the written consent, the provider may send ePHI unsecurely to the other doctor.

In scenario #2, as long as the patient is warned of and accepts (in writing) the security risks to the PHI associated with the unsecured transmission, the covered entity (the patient's doctor) is not responsible for an interception of PHI that is in transit to the other doctor.