Best Practices: Emailing Patient Records in Compliance with HIPAA
In January 2016, the HIPAA regulation got more teeth in the area of providing patients their medical records on request (files, notes, diagnostic images, lab results, C-CDAs). The US Department of Health and Human Services published detailed FAQs regarding patients rights with respect to requesting their medical records from their care providers:
- Request full medical records from all HIPAA-covered entities, e.g.
- labs, imaging and surgery centers
- insurance plans, hospitals, pharmacies, and physicians
- HIPAA covered entities have 30 days to respond
- Provide in the format requested by the consumer
- Electronic format
- Specific messaging format
The department of Health and Human Services has generated some educational videos for consumers (patients) – instructing them of their rights, and showing some role play at the doctor’s office. There’s also a HHS infographic, which you can find below, that explains the rule as well.
As a secure messaging company, there was some initial dismay at the videos and written guidance HHS provides patients:
“…..covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.”
Wow – unsecure email is OK for sending PHI (Protected Health Information) as long as the healthcare provider warns the patient that there is a security risk, and the patient accepts that risk. How do you track that? Is it realistic to think both sides of that transaction will be truly cognizant of the requirement to inform, and the real security risk?
I turned to our CMO, Dr. Peter Tippett for some guidance and perspective. What’s the best practice for a physician’s office to comply with HIPAA when emailing medical records to a patient?
His response – so practical, and sensible:
Covered entities should always use some form of secure messaging when emailing medical records to patients for several reasons.
- Email encryption, logging and other HIPAA requirements are expected and required UNLESS the patient EXPLICITLY is warned, and EXPLICITLY agrees to unencrypted mail. Keeping these warnings and permissions straight and getting the right message to the right patient via the right modality will fall in the “too hard” category for most covered entities.
- Covered entities will worry because they will be sued anyway if a patient, for example agrees to receive blood test results one week; and a few months / years later, gets sent something truly private, which is exposed because it was regular email.
- Most patients will not answer the question at all as to whether or not it would be ok after a warning to send the message via regular email – which could lead to errors, so a hard stop in the workflow, and risk of not meeting the 30 day delivery window.
- The fact that at least some patients will want the message securely, will require all covered entities to have a solution.
Given that email is such a convenient way to exchange files, and email encryption solutions such as DataMotion SecureMail is so affordable and easy to use by senders and recipients – this new HIPAA measure is another driver for adoption by covered entities. It also enables files up to 2GB – perfect for diagnostic images. It’s a small price to pay for compliance (and happy patients)!