Use of e-mail raises many HIPAA concerns for EDs 

All e-communications must be encrypted

While the transmission of electronic information has become an integral part of our daily business and personal lives, for health care providers, including ED managers, it carries with it a special set of obligations and responsibilities.

"Under HIPAA [Health Insurance Portability and Accountability Act of 1996], health care providers are authorized to transmit electronically under certain circumstances, like billing, but it has to be encrypted, and it should only be accessible to people authorized to use it, so there have to be passwords to protect the information from hackers," explains Catherine Marco, MD, FACEP, clinical professor of surgery at the Medical College of Ohio in Toledo, attending physician at St. Vincent Mercy Medical Center, also in Toledo, and immediate past chair of the American College of Emergency Physicians’ Ethics Committee.

Marco and other experts say that HIPAA applies to e-mail, even though the act does not specifically address it. "HIPAA is a very general guideline, and it does not specifically say you can or cannot use e-mail, but it does address the use of electronically protected health information," she notes. This is an important concept, Marco says.

"Electronically protected health information refers to any specific information by which you might be able to identify a specific patient, called identifiers,’" she says.

The term refers to information through which anyone might be able to find out who a patient is: the name, address, Social Security number, images that include the patient’s face, zip code, etc. "If you are over 90, your age is also protected because someone might be able to figure out who the patient is," Marco adds.

Because of a potential lack of privacy, ED managers would be ill-advised to communicate directly with patients via e-mail, say observers.

"I like to think of e-mails as postcards; you don’t know where they will be forwarded," says Kathleen Clem, MD, FACEP, associate professor and chief of the division of emergency medicine in the department of surgery at Duke University Medical Center in Durham, NC. "We do not communicate directly with patients by e-mail, except if they are an employee in our system. If I receive an e-mail, I’m on the phone to that patient, and I then respond in [snail mail’] writing."

At the ED at Doctors West Hospital in Columbus, OH, the staff have discussed using e-mail for ED follow-up, "but because of HIPAA, we’re not doing it," says Peter Bell, DO, FACOEP, FACEP, attending physician in the ED and assistant dean for academic affairs at Ohio University in Athens.

"Because an e-mail is discoverable, we felt there might be liabilities," he says.

Routine e-mails are not encrypted and would not be considered protected, Marco notes. "It’s not appropriate for me, or any provider, to use a commercial e-mail provider [i.e., AOL, Yahoo!] for protected health information," she says.

Under carefully defined circumstances, however, ED managers and staff can communicate with each other, and even with other health care providers. "EDs e-mail each other all the time, but not using protected health information," Marco explains. For example, they do not identify a specific patient, she says. "However, if all the security safeguards HIPAA dictates can be met, you can use a hospital server," Marco adds.

In other words, she explains, if she ascertained that her hospital’s e-mail was secure and that a patient’s primary care provider (PCP) also had a secure line, "I might actually be able to e-mail someone’s PCP and say, I saw Mrs. Jones today, and she had X condition. Could you follow up?’" Marco says.

At Doctors West Hospital, medical records are password protected and each doctor and nurse can access them through the internal computer system, Bell says. "Also, we send out notices, such as, Patient Y as been in the ED for the fifth time using a false ID, or they have OD’d for the third time; please be aware the family doctor wants to be notified when they come in.’"

However, his ED does not, at present, e-mail the PCPs. "Now, we dictate charts, and hard copies are sent out by snail mail," he says. "We have talked about faxing, because it is considered protected. The next move would be to do encrypted or encoded e-mail."

Every additional precaution you take helps ensure the privacy of e-mail. For example, Marco suggests, "never put a patient’s name in the subject line, because those are easier to [steal]."

Even within the secure e-mails themselves, her staff members try not to use the patient’s name, she says. "But we use the medical record number because we have to," she adds. However, she notes, HIPAA mandates that such communications must be only between people directly involved in the patient’s care.

In summary, Marco says she would not consider e-mail an appropriate way of contacting patients about their health care. "Other providers are OK, as long as you know the transmission is secure: password protected and encrypted," she says.


For more information about compliance with electronic privacy regulations, contact:

  • Peter Alan Bell, DO, FACOEP, FACEP, Assistant Dean, Academic Affairs, Ohio University, Athens, OH; Attending Physician, ED, Doctors West Hospital, Columbus, OH. Phone: (614) 544-5834. E-mail:
  • Kathleen J. Clem, MD, FACEP, Associate Professor, Chief, Division of Emergency Medicine, Department of Surgery, Duke University Medical Center, P.O. Box 3096, Durham, NC 27710. Phone: (919) 684-5537. Fax: (919) 681-8521. E-mail:
  • Catherine Marco, MD, FACEP, Clinical Professor of Surgery, Medical College of Ohio, Toledo; Attending Physician, Department of Emergency Medicine, St. Vincent Mercy Medical Center, 2213 Cherry St., Toledo, OH 43608-2691. Phone: (419) 251-4478. Fax: (419) 252-4211.
  • For more information on HIPAA and electronic communications, go to On the left-hand side of the page, click "HIPAA," then "HIPAA Administrative Simplification."