Not secure in the sense that it's encrypted, though that's part of it. Secure in the sense that you know you're communicating with the patient and only the patient, not their spouse, or their grandson, or Google's servers.
If that's actually a requirement, then why are most providers happy to accept that it's me over the phone/at the pharmacy if I simply say I'm Silas and maybe give the right date of birth?
Because it's not actually about meeting the stated goal. It's about checking all the boxes on some asinine bureaucratic form that assumes if all the boxes are checked, then the goal is met. This is how stupid people do things when you give them authority.
Yes, that is possible, and some do that. In practice, HIPAA is pretty complicated and email is more of a dark gray area than a hard no. For that reason most providers avoid it and prefer to use dedicated secure messaging systems that have things like consent and auditing built in.
