Letter to Providers on Using Email

I need to use email to work with my providers.  I’ve explained before why I’ve given up on patient portals.  Basically, I have multiple providers to manage (16) and going into multiple portals to send multiple messages is untenable for me as a patient and really does a disservice to me and to my providers.  However, doctors are reticent to use email.  The EHR vendors have done a great job with their marketing to scare physicians to think that they can only use the portal to communicate.  But that’s not true! And in fact, patients have a right to use email, one that doctors must accommodate.

Because doctors don’t want to believe me despite my law degree, I have written this letter and present it when they try to resist the use of email. Some still try to push back and refuse, but the law is in my favor and I’ll push for what I need to do for my care. We shouldn’t have to fight over this, but until doctors really learn how HIPAA works, I’ll have to educate them on my own.

For all patients that want to use email, feel free to use this.  It is NOT legal advice, it is simply what I use as a patient and cites the relevant laws, rules, regulations, and guidelines.


Dear Provider,

While patient portals via electronic health records (EHRs) have held promise for connecting patients and their providers, I have found that they do not work best for me.  I prefer to only use portals to receive lab records and check that my health history is complete and  up to date.

I know this bothers may providers but it is not only the law it is better for my care.

Under the Health Information Portability and Accountability Act (HIPAA), the regulations state that:

Unreasonable Measures[1]

…a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.
  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access.;

While a covered entity may not require individuals to request access in these manners, a covered entity may permit an individual to do so, and covered entities are encouraged to offer individuals multiple options for requesting access.

Also, HIPAA permits health care providers to use e-mail to discuss with their patients.[2]  Specifically:

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated….

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

Additionally, I offer this excerpt from a decision rendered by the Office for Civil Rights on September 26, 2016, in response to a HIPAA complaint:

But while the law gives me the right to use email, there are many other considerations that go into me preferring email a few of which are:

  • Care coordination: Most portals only allow providers to connect with other providers already in their system OR to the patient. Seeing as I have several providers who I may need to contact all at once who are in various systems, it is much better for care coordination to do a group email with all my providers.
  • Privacy: Most portals allow my messages to be redirected through an assistant or nurse in the clinic before getting to the provider. While this is allowed under HIPAA, for various reasons I prefer that my information go directly to the provider and that fewer individuals have access to that information within the practice.
  • Attachments: As an engaged patient, I have almost all of my medical records collected since 2001. Often I’ve found doctors wanting access to some of that information for validation or comparison purposes.  Unfortunately, I cannot always attach this information via the portal which will have specific file format limitations.
  • Character limit: Most portals have a word count limit that I usually exceed. While I know you prefer shorter messages, again with complex issues, I may have more questions or more in depth questions than most and often find the character limit to not only be a burden but to result in multiple disjointed and  inefficient messages in the portal.
  • Safety and Security: In an age where phishing attacks that include viruses, malware, and ransomware are rampant, it is prudent for patients to be wary of emails they receive with attachments or that ask them to “click here.” Portals send email messages to an account asking them to “click here” to receive them. These emails can be easily replicated by hackers and result in disastrous consequences.  Thus, the use of the portal puts my safety and security at risk.  Providers know from their HIPAA training not to open attachments or click on links for these reasons and they should not request patients do so either.Furthermore, if a ransomware virus were to attack a system, the likelihood that they would target the EHR where there is a high volume of sensitive information would be more likely. No system is completely safe or secure regardless of level of encryption.  With those risks in mind, institutions must do their best as is required by HIPAA.  But hackers also work hard to infiltrate systems and they are much more likely to go after targets that yield more information per attack than to attempt to access areas where less information is kept.

    Finally, the information you keep in an EHR is likely kept in “the cloud.”  The cloud of course refers to actual servers operated by a third party, or a business associate.  Issues with clouds abound including the location of the servers in question, whether the information is backed up, and security access to the servers.  More of the issues with clouds can be found in my IBM article linked to below. Needless to say, “the cloud” is not completely secure and may be compromised in many respects as well.  Thus I would offer, the use of portals comes with as many risks if not more than using email.

As background to the above I add that, as a lawyer in health policy, I have done extensive work in this area.  I’ve written for IBM on the issues around HIPAA (http://www.ibm.com/developerworks/cloud/library/cl-hipaa/index.html) and cloud computing  and FDA regulations of mobile apps as medical devices (https://www.ibm.com/developerworks/mobile/library/mo-fda-med-devices/index.html).  I’ve worked with the Agency for Healthcare Research and Quality (AHRQ) on best practices models for patient centered medical homes (https://www.ahrq.gov/professionals/systems/primary-care/workforce-financing/index.html) and with the Patient Centered Outcomes Research Institute (PCORI) on research specifically around this area.  I’ve worked specifically with various industry partners in the development of their portals from Athena to Cerner and lectured at the University of Texas’s Health Informatics program.

While I’m sure you feel this places a bigger burden on you and may include new ways of thinking of healthcare that are unfamiliar, I do appreciate that you will recognize the benefits to my care from using email instead of going through a patient portal.  I think we can all agree that each patient has unique needs which may require the use of different approaches to care in order to achieve the best care outcomes. For me that approach is using email, which is not only my preference but my right.

I appreciate your time and understanding.


Erin M. Gilmer

[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/

[2] https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/

See also: My post on HIPAA and Trust explaining that HIPAA’s history and how it is more about trust and the doctor-patient relationship than administrative burden.


2 Responses to Letter to Providers on Using Email

  1. giftbearer says:

    I just noticed this post and wanted to let you know about a post I recently wrote in my blog after I became one of many people whose personal medical information was breached; why I am not a big fan of electronic medical records and outling a number of reasons why patients should have the right to restrict blanket access to all those in a particular healthcare system. You can read it here —> https://patientsrightsadvocate.com/2017/12/19/2017-emory-electronic-records-security-breach-why-patients-should-have-the-right-to-restrict-access-to-their-medical-information/

  2. […] Anyone who knows me, know that I prefer email with my providers. I do not use patient portals for messages. Getting providers to use email though is like pulling teeth. They’ve all been sold the line by medical records companies that portals are the only “secure” way to send messages. And while some portals may have encryption to help with privacy and security, some personal email accounts also have a feature to encrypt (the provider’s email should already be encrypted or they are running dangerously close to more HIPAA problems). You can read the letter I give my doctors on using email here. […]

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: