Yes they can use the email address, but I don't think that would not be a HIPAA compliant method. I believe it needs to be in the secure message.
NHIN is for organizations involved in healthcare (labs, hospitals, doctors, etc.) but not for patients AFAIK.
