Question: I understand that a patient can request that we send to them unencrypted emails, but what about “business-to-business” (B2B) communications? Can a patient authorize our practice to email back and forth with another provider or entity without encrypting the communications?
Answer: No, the patient cannot say it’s fine for those B2B communications to happen via plain emails, states Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, VT. “That would amount to patients giving up their rights under HIPAA to have that information protected.”
Patients are allowed to ask for plain email communications when it’s with themselves, because that’s exerting their rights for how they would like you to communicate with them, Sheldon-Dean explains. But “as far as business communications are concerned, those should be encrypted communications. You shouldn’t be using plain email for transmitting PHI between business entities.”