HIPAA, for those who don't know, is a law that requires patient information to be kept private with safeguards. Email (such as yahoo, gmail, aol, etc) is not considered a secure form of communication.
However, HIPAA does allow for such un-secured email communication under certain circumstances. I quote from the horse's mouth:
"Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications."As such, it may be worthwhile for a patient to acknowledge the following statements before an email can be sent from a practice website using un-secured email:
"I understand email is not considered secure and as such, is not considered a confidential method of communication."
"By your sending an email to us, you are giving permission for us to reply by email."Even if private health information may be included, that's fine if, I quote from the horse's mouth:
"Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail."Read more about un-secured email communication as it relates to HIPAA here from the Department of Health & Human Services.