You are not actually allowed to refuse even if it is against your policies. Before using unencrypted email to communicate with an Individual, a Covered Entity has a “Duty to Warn” the requestor that the Email could be read by a third party. If the Individual indicates they still the use of unsecured email, the Individual has the right to receive PHI in that way. Documentation of the requestors agreement to receive Unencrypted Email should be maintained by the Covered Entity. I would either use a form (which we have already in our HIPAA Manager product) or develop a process using an email template with “duty to Warn” language and then retain the approval that the recipient provides in a reply email.