How Do I Comply with HIPAA when Emailing PHI?
By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
July 12, 2024
Combine the words HIPAA, protected health information (PHI) and email, and you’ve just found a topic that’ll leave many healthcare professionals uneasy. Nevertheless, email is frequently used for sharing PHI with patients and their caregivers. All healthcare organizations should develop policies and procedures to comply with HIPAA while delivering PHI via email.
It’s not as simple as citing a policy forbids emailing PHI. One of the key initiatives of the Office of Civil Rights (OCR) is to increase access for patients to their health information, including unencrypted email. So, while it may seem counterintuitive to email patients medical records and health information, providers and healthcare organizations may need to do exactly that to meet a patient’s requested format.
Why use email to send PHI?
As our world becomes more reliant on technology to communicate and manage our daily lives, the healthcare industry has seen their own technological revolution with electronic health records (EHR), e-prescribing, patient portals, wearable tech, and many other advancements. With email a main means of communication, it’s only natural patients would like to communicate in a way they’re familiar with.
Many healthcare organizations have their own email systems needed to function for business. But when it comes to communicating with patients, practices are often confused over what they can, and cannot, do. The U.S. Department of Health and Human Services (HHS) provides guidance on emails used in healthcare. They note the HIPAA Privacy and Security Rules don’t prohibit the use of email but do require proper policies and procedures to protect PHI. Guidance on a patient’s right to access their PHI underscored the ability for patients to request this information via email. And they consider email to be readily producible by nearly all covered entities, with exceptions if a file is too large to transmit via email.
While practices should defer to utilizing secure, encrypted email while transmitting PHI, the guidance from the OCR indicates if a patient wants their PHI to be delivered via unencrypted email, covered entities and business associates must comply.
How can I send an unencrypted email with PHI? Isn’t that against HIPAA?
Sending PHI via unencrypted email doesn’t violate HIPAA, but covered entities and business associates must take reasonable steps to ensure patients understand and acknowledge the risk of unsecured email transmission. The OCR provided this guidance because they want patients to easily receive their PHI in accordance with their right to access PHI.
In an interview with Report on Patient Privacy, Deven McGraw, Deputy Director of the HHS OCR, said, “We are trying to make it as easy as possible [for people] to exercise their HIPAA rights in a way that works best for them. But it is not meant to be a sort of blanket, ‘Get Out of Jail Free’ card on security.”
Meaning, if a patient requests their records be delivered via unencrypted email, the covered entity or business associate must comply with the request after assurance from the patient they understand the risk of unsecured email. Denying a patient their access request be sent via unsecured email could mean an OCR complaint.
But isn’t email a breach waiting to happen?
Email can be difficult to protect at rest and in transit. It’s important healthcare organizations follow industry best practices for utilizing email, which typically include dual authentication and encryption, to prevent a PHI breach.
Unsecure email is much more difficult to protect. If a patient acknowledges, verbally or in writing, the risks of their PHI being sent via unsecure or unencrypted means, the patient accepts the risk of potential disclosures occurring in transit, or upon arrival, to the intended email address.
Considerations for delivering PHI via email
With email a frequent transmission method for PHI, healthcare practices need to consider the risks and best practices for utilizing email in their own organization.
Some initial suggestions for appropriately transmitting email include:
- Servers containing email should be encrypted.
- When communicating PHI externally, utilize encrypted email technology.
- Ensure all staff are trained on email best practices.
- Develop a policy and procedure for working with patients when the PHI file size is too large to be delivered via email.
- Develop a policy and procedure to alert patients to the risks of delivering PHI via unencrypted or unsecure email.
- Create your duty to warn statement and receive written or verbal confirmation.
- If the email address is received verbally, confirm the address using the NATO Phonetic Alphabet.
Rely on a partner to navigate the changing regulatory landscape
With the rapid evolution of technology, it can be difficult to keep up with the regulatory landscape of what is, and isn’t, allowed – all while trying to avoid an unauthorized disclosure (UAD). Luckily, covered entities can work with business associate partners like Verisma to handle PHI disclosures – transferring the work burden and duty to warn.
And, while many patients can access data via portals, Verisma Request App® (VRA) opens up secure electronic delivery to third-party requestors, such as commercial health plans and attorneys – offering the same record-ordering convenience enjoyed by patients – and avoids the risks associated with email all together.
Does emailing PHI (encrypted or unencrypted) seem like more work than it’s worth? Our healthcare data experts are extensively trained in PHI delivery best practices including utilizing encrypted and unencrypted email, as well as responding to complicated right to access requests. We’ll take on these tricky situations for you. Find out how we relieve the burden of PHI email exchange by requesting a demo today.