When you shouldn't email questionnaires | Blog

Email is widely accessible and convenient, but when it comes to healthcare, privacy compliance is essential for both you and your patients or clients. Here’s a breakdown of how email works, and why it might not be the best choice for sharing sensitive health information.

How Email Works Across the Internet

When you hit "send" on an email, what exactly happens?

In simple terms, your email application communicates with your email server—where all your sent and received emails are stored. This server (for example, Google’s server for @gmail addresses) then looks up the recipient’s server, connects, and delivers your message. Receiving an email follows the same path in reverse.

Why This Matters for Healthcare

While email is effective, it comes with specific risks in healthcare settings, particularly concerning encryption. Encryption is not mandatory for email at every stage of its journey, meaning:

The connection between your device and your email server might not be encrypted.
The delivery between your email server and the recipient’s server might lack encryption.
Your recipient could download the email without encryption.

At any point, unencrypted data can be intercepted and read by unintended third parties.

In some jurisdictions, you’re also required to encrypt data stored on a server "at rest." You cannot assume your recipient’s email provider stores data securely without additional encryption. For healthcare providers, this concern extends to questionnaires, which often contain protected health information (PHI) like:

Patient contact information
Treatment details
Diagnoses or health issues
Progress in treatment

Even sending an unfilled questionnaire can reveal sensitive information. For instance, sending an Alcohol Use Disorder questionnaire to a patient indicates a specific concern or diagnosis.

What You Can Do

Obtain Consent: Always get your patient’s or client’s permission to exchange information over email.
Use a Compliant Email Service: Avoid using free email services like Gmail, Yahoo, or Outlook. Instead, use a paid, HIPAA/PHIPA-compliant email service. Paid versions of Gmail and Outlook, for example, can be configured for compliance.
Consider Secure Questionnaire Platforms: To protect PHI, consider using specialized services like PsychMeter to handle questionnaires. This reduces the risk of sensitive information being exposed to third parties.

In Summary

Emailing questionnaires can be risky when it comes to protecting your clients’ or patients’ privacy. I hope these recommendations help you make informed decisions about communication practices in healthcare.

Finally, since you can't control how secure your recipient's mailbox is, you should use a service like PsychMeter for your questionnaires to minimize the chance of PHI being revealed to a 3rd party.

Feel free to reach out with any feedback or thoughts!