Use of encryption

October 8, 2004

Must the e-mail that I use to send medical information to a patient over the Internet be encrypted?

Q:Must the e-mail that I use to send medical information to a patient over the Internet be encrypted?

A: That depends. Under the security rule, encryption is "addressable" but not necessarily required. That means, before doing anything, you must first determine whether implementation is "reasonable and appropriate" for your practice. If it is (because you send out a high volume of very sensitive information, for instance), you must address that fact by, in this case, adopting the appropriate encryption software or system. If you determine it isn't reasonable and appropriate for your practice to encrypt e-mail but the security standard can't be met otherwise, you must document your reasoning and implement an alternate means to meet the same goal. Some security consultants suggest encrypting all e-mail since, they argue, it's often easier to explain to the government why you've done something rather than why you haven't. But for small practices, this could be cumbersome and expensive, so use common sense when in doubt.