Disclosure + Opt-In

es, you can send individuals their own PHI through unencrypted emails, SMS messages, and other electronic communications if:

  1. You advise the individual of the risk that the information in the communication could be read by a third party, and
  2. The individual still prefers the unencrypted communication.

The HIPAA Privacy Rule gives individuals the right to request access to their PHI. In 2013, HHS explained that when an individual requests access to an electronic record, covered entities are required to provide access in the electronic form and format requested by the individual, including unencrypted email:

We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
-HIPAA/HITECH Final Omnibus Rule, January 25, 2013, p. 5634

This guidance specifically discussed email, but the same rationale applies to SMS, and other forms of electronic communication. Similarly, the rationale applies to recurring communications, not just responses to specific requests by individuals.