You can send medical records by email, but – if the organization you work for qualifies as a HIPAA regulated entity – conditions exist on who you can send emails to, how much information can be disclosed in emails, and what security measures are necessary to protect the confidentiality, integrity, and availability of Protected Health Information.
As a member of a HIPAA covered entity’s or business associate’s workforce, the most significant factor affecting whether you can send medical records by email should be your employer’s policies regarding uses and disclosures of Protected Health Information (PHI) and their procedures for obtaining consent (if required), authorizations, and/or attestations.
Some HIPAA covered entities may allow medical records to be sent by email when the disclosure is required by the HIPAA Privacy Rule or mandated by state law. In such circumstances, you will only be allowed to send medical records by email to HHS’ Office for Civil Rights, to a patient, or to a state agency to report (for example) child abuse.
Other covered entities may allow workforce members to send medical records by email for treatment, payment, health care operations, and for certain purposes permitted by §164.512 of the HIPAA Privacy Rule. In these circumstances, disclosures of PHI other than for treatment are subject to the minimum necessary standard and may require the patient’s prior consent.
In addition, some disclosures of PHI may be subject to the authorization requirements of §164.508 or the attestation requirements of §164.509. These requirements affect the type(s) of PHI that can be sent by email, who emails can be sent to, and the purpose of the disclosure. Consequently, there is no one-size-fits all answer to the question can you send medical records by email.
How to Send Medical Records by Email Securely
In the context of what security measures are necessary to protect the confidentiality, integrity, and availability of PHI sent in an email, most of these will be implemented by the HIPAA covered entity or business associate for whom you work. However, there are two golden rules with regards to sending medical records by email that apply to all members of the workforce.
The first is to check the name(s) of the recipient(s) before clicking send and ensuring that, if sending out a bulk email containing PHI, the names of the recipients are hidden by the BCC function. Approximately 8% of all unauthorized disclosures of PHI notified each year are attributable to “misdeliveries”. This equates to around 5,000 avoidable data breaches per year.
The second golden rule is to only use your employer’s email service in the way you have been trained. Although most email services now support encryption in transit, using an email service that has not been sanctioned and configured by your employer violates the HIPAA Security Rule standards for Business Associate Agreements, access controls, and data authentication.
It is also important to be aware HIPAA Security Rule standards are always secondary to HIPAA Privacy Rule standards. Therefore, if it is not permitted by the HIPAA Privacy Rule to send medical records by email, it does not matter what security measures have been implemented and what security awareness training has been provided. The HIPAA Privacy Rule always take precedence.
Exceptions Can Apply to the HIPAA Email Rules
Because the HIPAA Privacy Rule always takes precedence, there are circumstances in which exceptions can apply to the HIPAA email rules (notwithstanding how the rules are interpreted and applied by HIPAA covered entities and business associates). Two common exceptions are when a patient exercises their right to request privacy protections or confidential communications.
Under the right to request privacy protections (§164.522(a)), a patient can request that disclosures of PHI are restricted for treatment, payment, and health care operations, and for involvement in the individual’s care or for notification purposes (§164.510(b)). This affects when you can send medical records by email internally, or to other HIPAA covered entities, payment processors, and friends/family members.
The second exception – the right to request confidential communications (§164.522(b)) – gives patients the right to request medical records by email even if the HIPAA covered entity does not subscribe to an email service that supports HIPAA compliance. In these circumstances, the HIPAA covered entity should warn the patient of the risks associated with unsecure email and document the warning.
Similarly – although less common – a patient has the right to request PHI is emailed to another healthcare provider. If one or both of the healthcare providers does not subscribe to an email service that supports HIPAA compliance, the right to request that Provider A send medical records by email to Provider B supersedes the requirement for emails containing PHI between providers to be HIPAA compliant.
HIPAA covered entities and business associates who are unclear about when exceptions apply to the HIPAA email rules are advised to seek professional compliance advice. Workforce members who encounter situations for which no HIPAA policies or procedure exist should speak with their HIPAA Privacy Officer before sending medical records by email.