Combine the words HIPAA, Protected Health Information (PHI) and email, and you’ve likely just found a topic that will leave many healthcare professionals shaking in their boots.  Nevertheless, email is becoming a more frequently used distribution method for sharing PHI with patients and other caregivers.  All healthcare organizations should develop their own policies and procedures on how to comply with HIPAA while delivering PHI via email.

Think it’s as simple as citing a policy that forbids emailing PHI? Think again. One of the key mandates of the Office of Civil Rights (OCR) is to increase access for patients to their health information – which includes unencrypted email. So, while it may seem counter-intuitive and even unsafe to email patients medical records and health information, that’s exactly what OCR is requiring providers and healthcare organizations to do.

Why use email to send PHI?

As our world becomes increasingly reliant on technology to communicate and manage our everyday lives, the healthcare industry has seen their own technological revolution with Electronic Health Records (EHRs), e-prescribing, patient portals, wearable technology and many other advancements.  With email a main means of communication, it’s only natural patients now would like to communicate in a method they are very familiar with as well.

Many healthcare organizations have their own email systems needed to function for business.  But when it comes to communicating with patients, practices are often confused over what they can and cannot do. Health and Human Services (HHS) provides guidance on email communication used in a healthcare setting. They note the HIPAA Privacy and Security Rules does not prohibit the use of email but do require proper policies and procedures to protect the PHI appropriately.  More recent guidance on a patient’s Right to Access their PHI underscored the ability for patients to request their PHI be delivered via email.  In fact, they consider email to be readily producible by nearly all Covered Entities, with exceptions in the instance of a file being too large to transmit via email.

While practices should defer to utilizing secure, encrypted email while transmitting PHI, the guidance from the Office of Civil Rights (OCR) indicates if a patient wants their PHI to be delivered via unencrypted email, Covered Entities and Business Associates must comply.

How can I send an unencrypted email with PHI? Isn’t that against HIPAA?

Sending PHI via unencrypted email does not violate HIPAA, but Covered Entities and Business Associates must take reasonable steps to ensure the patient understands and acknowledges the risk of unsecured email transmission. The OCR provided this guidance because they want patients to be able to easily receive their PHI in accordance with their “right to access” their PHI.

In a 2016 interview with Report on Patient Privacy, Deven McGraw, Deputy Director of the Health and Human Services (HHS) Office for Civil Rights (OCR), stated, “We are trying to make it as easy as possible [for people] to exercise their HIPAA rights in a way that works best for them. But it is not meant to be a sort of blanket, ‘Get Out of Jail Free’ card on security.”

This means if a patient requests their records be delivered via unencrypted email, the Covered Entity or Business Associate must comply with the request, but only after assurance from the patient that they understand the risk of unsecured email.  Denying a patient their Access request be sent via unsecured email could mean an OCR complaint.

Whoa! Isn’t email a breach waiting to happen?

Email can be difficult to protect both at rest and in transit.  It’s important that healthcare organizations follow industry best practices for utilizing email, which typically include dual authentication and encryption, to prevent a PHI breach.

Unsecure email is much more difficult to protect. If a patient acknowledges, either verbally or in writing, the risks of their PHI being sent via unsecure or unencrypted means, at that point the Covered Entity or Business Associate is no longer liable for any disclosures that occur in transit or upon arrival to the intended email address.

Considerations for delivering PHI via email

With email as a much more frequent transmission method for PHI, healthcare practices need to consider the risks and best practices for utilizing email in their own organization.

Some initial suggestions for appropriately transmitting email include the following:

  • Servers containing email should be encrypted.
  • When appropriately communicating PHI externally, utilize encrypted email technology.
  • Develop a policy and procedure of how to work with a patient when the PHI file size is too large to be delivered via email.
  • Develop a policy and procedure to alert a patient to the risks of delivering PHI via unencrypted or unsecure email.
    • Create your “duty to warn” statement and receive written or verbal confirmation
    • If the email address is received verbally, confirm the address using the NATO Phonetic Alphabet.

Rely on a partner to navigate the changing regulatory landscape

With the rapid evolution of technology in the industry, it can be difficult to keep up with the regulatory landscape of what is and isn’t allowed, all while trying to avoid an unauthorized disclosure.  Luckily, Covered Entities can work with Business Associate partners like ScanSTAT to handle their PHI disclosure, transferring the burden of the work, duty to warn, as well as the HIPAA liability.

Does emailing PHI (encrypted or unencrypted) seem like more work than it’s worth? ScanSTAT can relieve you of that burden.  Our team of healthcare data experts are extensively trained in PHI delivery best practices including utilizing both encrypted and unencrypted email, as well as responding to complicated “Right to Access” requests.  We will take on these tricky situations for you (including the liability!).  Find out how we relieve the burden of PHI email exchange by requesting a demo today.