Health Information Compliance Alert
Can You Send Medical Records Via Email (Securely)?
PDF
Question: One of our patients has requested a copy of his medical records, and he wants us to send this via email. Our office staff is debating whether sending medical records as email attachments is allowed under the Security Rule and, if so, whether this is safe to do?
The rule does not specify exactly what formats are permissible, but instead simply uses the term “electronically.” So this could mean that you provide the individual with his medical records on a flash drive, on a disc, or even via an email attachment.
So ultimately, your organization will need to decide how you will provide electronic access to PHI, Sheldon-Dean explains. Ideally, if you’re emailing PHI, you would need to encrypt the email content.
But what if the patient doesn’t want to deal with encryption? What if he wants you to just send his medical records in a “plain” email message?
According to the Privacy Rule, “people have a right to ask for information by alternative means or alternative locations,” Sheldon-Dean says. “And you have to accommodate reasonable requests in the form or format requested by the individual.”
So your basic responsibility is to go ahead and send the medical record to the individual in an unencrypted email as requested, but you need to also warn the patient about the risk of exposure, Sheldon-Dean states. Tell the patient: “You need to understand that emailing your medical information without encrypting the attachment can cause your information to be exposed. Do you understand that those risks exist, and are these risks acceptable to you?”
Bottom line: If the patient says he understands the risks and wants the information sent via an unencrypted email anyway, you can send it. The important thing is that you help the individual make an informed risk decision based on the impact and likelihood of the potential exposure risk, just like you would for any other situation that could cause a possible breach of PHI, Sheldon-Dean explains.
Answer: Yes, you can send medical records via email — in fact, in most cases, you must send the records that way if the patient requests that you send them in that specific format.
One of the crucial changes in the HIPAA Omnibus Final Rule involved a mandate that if you keep protected health information (PHI) electronically, you must make that information available to an individual electronically if requested, according to Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC.
Health Information Compliance Alert
- HIPAA Compliance:
Heed Expert Tips To Craft Effective HIPAA Policies & Procedures
Make sure you cover these 7 big changes under the new rules. If you’re like [...] - Know 4 Principles Your Policies Must Never Be Without
Do your policies set forth clear responsibilities and accountability? What makes a “good” policy? According [...] - Reader Question:
Taking Secrets To The Grave: When You Can Share Decedents' PHI
Question: Our practice treated a patient who passed away two years ago, and now we [...] - Reader Question:
Are BAAs Always Necessary?
Question: With the HIPAA Omnibus Final Rule now in effect, it seems as though we [...] - Reader Question:
Can You Send Medical Records Via Email (Securely)?
Question: One of our patients has requested a copy of his medical records, and he [...] - Tool:
Use This Chart To Dispel Security Risk Analysis Myths
HHS OCR gives you a little help on getting your risk analysis down pat. As [...] - Enforcement News:
Brace Yourself For Increased HIPAA Audits
Plus: OCR now handing out fines for not having breach policies. The HHS Office of [...]