Email and HIPAA: What Dentists Need To Know

Many dental offices use email or texting to confirm appointments, discuss potential treatment plans and send X-rays and other information for referrals. Although there has been very little enforcement, dentists need to know that most email does not comply with HIPAA, and jeopardizes patient information. Even if email has a secure login (htpps), that is not enough to comply with HIPAA. Even Gmail’s encryption feature does not actually comply with HIPAA, for several reasons–not least of which is the lack of a contract to protect personal health information.

In addition, most email providers duplicate and automatically read most email. Any email provider with targeted ads, for instance, scan emails and store that data somewhere. Automatically, that violates HIPAA.

Most patient portals are HIPAA compliant, provided that emails to patients do not disclose patient information. Instead, although it may seem clunky, patients need to log in to a secure server to access their personal health history. Dental patient portals should be able to provide documentation for HIPAA compliance.

Similarly, a few email services have emerged that do offer secure, HIPAA-compliant email. Usually, email can be sent to non-users of the system, although they will have to log in to a secure server to read those emails. Examples of secure, HIPAA-compliant email set up for dentists include Brightsquid, RecordLinc and

Lessons Learned:

  • Encryption is not enough for HIPAA compliance.
  • Most email and text communications with patients are not HIPAA-compliant.
  • A few services are offered for secure referrals, work with dental laboratories and patient communication.
  • Patient portals that email links to secure logins can be HIPAA compliant.
  • Ask email providers about HIPAA compliance. If they cannot show documented compliance, assume the provider is not HIPAA compliant.