You can, but it requires changing the server configuration.
You can also pass them on the command line:
ssh foo@host "FOO=foo BAR=bar doz"
Regarding security, note than anybody with access to the remote machine will be able to see the environment variables passed to any running process.
If you want to keep that information secret it is better to pass it through
cat secret_info | ssh foo@host remote_program