The Security Rule doesn’t prohibit the use of email, but you must have policies and procedures in place to make sure the patient information is adequately protected, and if encryption is reasonable and appropriate to protect patient information that you’re sending electronically, you must encrypt. If you decide not to encrypt, you must document your decision and the reasoning behind it. Thus, if you are sending identifying information along with the image, including any part of the patient’s name, address, date of birth, phone number, or any other data element that is considered a HIPAA “identifier,” sending an unencrypted image via email might put the patient information at risk of a breach.