The ADA published an article on Feb. 26, 2016, summarizing new guidance from the Office of Civil Rights. If a patient demands that Protected Health Information be provided via unsecure email, the health care provider must abide by the patient request after warning the patient of potential security risks of the unsecure email.
See http://www.ada.org/en/publications/ada-news/2016-archive/february/hipaa-clarification-allows-patients-to-receive-health-information-through-unsecure-email for the complete article, and links to the HHS resources.
This ruling does NOT apply for provider-to-provider communications, which must be done using a secure method, such as encrypting messages.