Sending Patient Data by Email: Is it Secure?

TL;DR

No, sending a patient’s name, birth date, and study date in plain text email to a referring doctor is not secure and likely violates data protection regulations like GDPR and HIPAA. Use encrypted email or a secure portal for sharing this information.

Why Plain Text Email Isn’t Safe

Plain text email travels across the internet without encryption, meaning anyone intercepting it could read the contents. This includes sensitive patient details.

• Interception: Emails are routed through multiple servers, creating opportunities for interception.
• Storage Risks: Email providers store emails on their servers, which can be vulnerable to breaches.
• Compliance Issues: Regulations like GDPR (Europe) and HIPAA (US) require protecting patient data; plain text email doesn’t meet these standards.

Steps to Securely Share Patient Information

1. Use Encrypted Email: This scrambles the email content so only the intended recipient can read it with a decryption key.
   • Many email providers offer built-in encryption (e.g., ProtonMail).
   • Consider third-party encryption services that integrate with your existing email system.
   • Ensure both you and the referring doctor use compatible encryption methods.
2. Secure Patient Portals: These are web-based platforms designed for secure communication.
   • Patients can log in to access their records and share information with providers.
   • Portals typically use strong encryption and authentication measures.
   • Examples include MyChart, Epic, and other EHR-integrated portals.
3. Fax (with a Secure Fax Service): While not ideal, faxing through a secure service can be more compliant than plain text email.
   • Ensure the fax service uses encryption and provides audit trails.
4. SFTP (Secure File Transfer Protocol): For larger files or complex data sets.
   • Requires technical expertise to set up and use securely.
   • Both sender and receiver need SFTP accounts.
5. Consider a Direct Messaging Service: These services are specifically designed for secure healthcare communication.
   • They often comply with HIPAA regulations.
   • Examples include Carequality and CommonWell Health Alliance.

Example of Encrypted Email Setup (ProtonMail)

If using ProtonMail, encryption is automatic for emails sent to other ProtonMail users.

// No specific code needed - encryption happens automatically within the ProtonMail interface.

For sending encrypted email to non-ProtonMail users, you’ll typically provide a password that they need to enter on a web page to decrypt and read the message.

Important Reminders

• Data Protection Agreements: Have agreements with referring doctors outlining data security responsibilities.
• Training: Ensure staff are trained on secure communication practices.
• Audit Trails: Keep records of all patient information sharing activities.