Am I at HIPAA-risk if a patient replies to my secure email message?

January 31st, 2017

Here is a question from “Ask Erik:”

Dear Dr. Kangas,  When I write an email to a patient from my LuxSci account, it is encrypted and therefore HIPPA compliant.  When they write me back from their regular email address (it’s often hard to get them to sign up at LuxSci), they are putting [PHI /Medical Information] out without security, but that is not my HIPPA violation as I understand it because patients are not required to keep their PHI secure.  Yet often a patient replying to my email simply hits ‘reply’ and my email is attached to their reply, putting my original email in an insecure from on the Internet.  Does that become therefore a HIPPA violation of mine, especially if I continue to allow this without telling the patient to stop doing this?


It seems that you are referring to sending email messages to patients via “SMTP TLS” … i.e. where the message is encrypted in transit but which otherwise looks like a normal message and is a normal message once it arrives at the recipient’s email servers. In this case, it is indeed true that when the patient replies, you have no control over the security of the message.  It could be secured using TLS, or it could be insecure.  You are correct in your understanding that the security of this reply is, strictly speaking, up to the patient and it is not your breach if it goes insecurely.  In fact, patents can even legitimately request that you send them messages insecurely … through a process called mutual consent.

You do have a good point, however.  If your messages encourage them to reply and/or if you know that they are going to be replying insecurely, then you may have some responsibility.  Generally, this would be addressed by:

  • Clearly stating in your message that replies may be insecure and that direct replies are not desirable.  You can and should even provide some guidance as to the risks involved.  In reality, you should probably have this training and sign off with them in writing before you begin to engage with them over email in this way … in the spirit of mutual consent.
  • You can include a link in your message that they can click on and use to send messages to you securely.  Providing a method for secure communications legitimizes your communications with them.  If they choose to reply insecurely, at least that was their explicit choice in this case.  LuxSci customers can send users to, where they can register and send the messages for free.
  • You could choose to forego use of “just” SMTP TLS and to always use a more secure method of email delivery.  E.g. use of SecureLine Escrow would save the sensitive email on the server and send the patient an emailed notice to pick up the message.  The patient clicks on a link, logs in and views the message.  Any replies from there are automatically secure.

As with many things in HIPAA, the choice of what implementation is best for your business and patients is up to you.  However, you must justify any risks in your yearly HIPAA risk assessment.  If you would like LuxSci’s help in configuring your account properly to meet your particular business needs, please let us know.  We are here to help!