Complying with HIPAA and Delivering PHI via Email

Not only “should” you deliver patients their PHI via email, but you are actually required to assuming it’s reasonable and appropriate to do so. Read on to see how you can deliver on patient requests for information via email with recommendations and best practices from ScanSTAT.

HIPAA dictates that if a patient requests protected health information (PHI) via email, the records custodian must comply when reasonable. In a 2016 interview with Report on Patient Privacy, Deven McGraw, Deputy Director of the Health and Human Services (HHS) Office for Civil Rights (OCR), stated, “We are trying to make it as easy as possible [for people] to exercise their HIPAA rights in a way that works best for them. But it is not meant to be a sort of blanket, ‘Get Out of Jail Free’ card on security.”

If an individual requests that PHI is delivered via email, it’s up to the covered entity fulfilling the request to take reasonable steps to verify the identity of the individual making the request. It’s also the responsibility of the record custodian to confirm that he/she accurately enters all information provided by the requestor. For example, the record custodian must make sure they accurately type in the delivery email address provided by the individual. It’s critical to always double check data entry accuracy when fulfilling medical requests to avoid a breach.

Email Best Practices Employed by ScanSTAT

If you need to deliver PHI via email, ScanSTAT recommends using an encrypted format for the email. If the individual requests that the records are sent via unencrypted email, then the records can still be sent as long as the individual was clearly warned of the risks of doing so and accepts the security risks. This acknowledgement relieves the record custodian of any liability if an incident were to occur after hitting the “send” button.

The OCR provides further guidance on this topic, in which it states, ” If the individual requests electronic access to PHI that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested electronic form and format, if it is readily producible in that form and format.”

ScanSTAT utilizes the following protocols related to emailing medical records when the individual specifically requests this form of communication or when other options are not appealing to the requestor:

  1. ScanSTAT alerts the requestor verbally or via email of the risk with the following “duty to warn” statement: “HIPAA mandates that we warn you of the risk associated with emailing your PHI. There is risk of a third party viewing copies of your medical records that are sent via unencrypted email.”   
  1. ScanSTAT receives verbal or email confirmation that the patient wants to proceed.
  1. If the email address is received verbally, ScanSTAT representatives use the NATO Phonetic Alphabet to confirm email address:

          Alfa                   Juliett                Sierra

         Bravo                Kilo                     Tango

         Charlie              Lima                  Uniform

         Delta                 Mike                   Victor

         Echo                  November         Whiskey

         Foxtrot             Oscar                  X-Ray

         Golf                   Papa                    Yankee

         Hotel                 Quebec               Zulu

         India                  Romeo 

To learn more about ScanSTAT best practices for providing PHI and fulfilling medical record requests, reach out to our healthcare data experts. Contact us today!