Several months ago, I dealt with several aspects of patient confidentiality. To supplement that, here is an interesting website that covers a number of myths about the requirements of HIPAA.
Many people think that the HIPAA regulations prohibit or discourage emails between doctors and patients. They do not. As stated on this website, though, the regulations require providers to use reasonable and appropriate safeguards to “ensure the confidentiality, integrity, and availability” of any health information transmitted electronically, and to “protect against any reasonably anticipated threats” to the security of such information. Therefore, a covered entity is free to continue using email to communicate with patients, but should be sure that adequate safeguards, such as encryption, are used.
I think most of us don't think about the insecurity of email when we send a note to our doctor. Sure, it is unlikely that some stranger out there will be scanning our emails, although I bet some MIT kids could figure out how to do it in a nanosecond. We forget, though, that employers have the right to snoop through our email on our corporate accounts. Also, it is quite common to insert the wrong "To" address when you are sending a note to someone.
That's why we offer and encourage the use of secure portals like PatientSite. All PatientSite messages are encrypted. Our resident geeks tell me that we use 128-bit DES encryption through SSL. I haven't had a chance to check it out with Maxwell Smart, but it sounds all right to me.