Is it a HIPAA Violation to Email Medical Records?

by

It is not a HIPAA violation to email medical records if the reason for emailing medical records is permitted by the Privacy Rule, if the PHI disclosed in the email is limited to the minimum necessary to achieve the purpose of the disclosure, and if the email system used to email the medical records complies with the applicable standards of the Security Rule.

There are exceptions to these criteria, and there are circumstances when emailing medical records is not a violation of HIPAA but could be a violation of a state or federal regulation. This depends on the location of the covered entity or business associate, and the nature of the medical records being emailed. The exceptions and other considerations are discussed below.

Is the Reason for Emailing Medical Records Permitted?

Uses and disclosures of medical records – in any format – are governed by the HIPAA Privacy Rule. The Privacy Rule requires covered entities to disclose Protected Health Information (PHI) when it requested by HHS’ Office for Civil Rights for a compliance investigation or audit, or when the subject of the PHI exercises their HIPAA Rights to view a copy of their medical records.

Covered entities are permitted to use or disclose PHI by email for treatment, payment, and healthcare operations purposes, and for any reason included in §164.512 of the Privacy Rule. Additional circumstances when it is not a HIPAA violation to email medical records include when an individual or their personal representative authorizes a disclosure of PHI by email.

Is the Disclosure of PHI Limited to the Minimum Necessary?

Most permitted disclosures are subject to the minimum necessary standard (164.502(b)). This standard requires HIPAA medical record disclosures to be limited to the minimum necessary required to achieve the purpose of the disclosure. Exceptions to this standard include internal disclosures for treatment purposes and disclosures authorized by a patient.

External disclosures for treatment purposes are still subject to the minimum necessary standard. For example, if a healthcare provider emails medical records to an independent consultant who is providing a treatment service on behalf of the healthcare provider, the healthcare provider must only email medical records relevant to the service being provided.

Does the Email System Comply with the HIPAA Security Rule?

In the context of whether it is a HIPAA violation to email medical records, this can also depend on if the email system used to email the medical records complies with the applicable standards of the Security Rule. Applicable standards include standards for access controls, audit controls, automatic logoff, and encryption – both when PHI is at rest and in transit.

If a covered entity subscribes to a third party email system (i.e., Outlook, Google Workspace, etc.) rather than host its email server on-premises, it is necessary to enter into a Business Associate Agreement with the email system provider. The same applies if a covered entity subscribes to an encrypted email service such as Paubox, Proton Mail, or HushMail.

Is It a HIPAA Violation to Email Medical Records? Exceptions

There are multiple exceptions to the criteria for emailing medical records in compliance with HIPAA. These include, but are not limited to:

  • When a patient initiates contact via an unsecured email system. Guidance published by the Department of Health and Human Services (HHS) permits healthcare providers to continue using the unsecured email system to discuss health issues and treatments and email medical records.
  • When a patient requests confidential communications via email (§164.520(b)), covered entities must comply with the request. If this means emailing medical records via an unsecure channel of communication, the patient should be warned of the risks and allowed to decide for themselves.
  • When a healthcare provider does not qualify as a covered entity or business associate, it is not a HIPAA violation to email medical records. This is because HIPAA does not apply to healthcare providers who do not conduct electronic transactions for which standards exist in Part 162 of HIPAA.
  • When HHS’ Office for Civil Rights issues a Notice of Enforcement Discretion. It may be possible to email medical records in violation of HIPAA – but without a penalty – depending on the reason for the Notice of Enforcement Discretion being issued and what area of HIPAA compliance the Notice covers.
  • When medical records are de-identified so it is not possible to identify the subject of the PHI, it is not a HIPAA violation to email medical records. This situation most often occurs when de-identified medical records are used for medical studies, policy assessments, and life sciences research.
  • When a patient’s medical records relate to reproductive health. It is a HIPAA violation to email medical records for the purpose of conducting an investigation into the acts of seeking, obtaining, providing, or facilitating reproductive health care, or imposing a civil, criminal, or administrative liability (§164.502(a)).

When is Emailing Medical Records a Violation of a State or Federal Regulation?

Since the passage of HIPAA and the publication of the Privacy, Security, and Breach Notification Rules, many states have enacted privacy, security, and/or breach notification regulations with more stringent standards than HIPAA. In some cases, states require patients to “affirmatively opt-in” before their email address can be used to send medical records by email.

With regards to federal regulations that can impact when medical records be sent by email, both the Family Education Rights and Privacy Act (FERPA) and the Confidentiality of Substance Use Disorder Patient Records Regulations (42 CFR Part 2) have more stringent authorization requirements than HIPAA for when it is possible to email a patient’s medical records.    

When is it a HIPAA Violation to Email Medical Records?

To summarize what has been discussed above, it is a HIPAA violation to email medical records when there is not a required or permissible reason for doing so – if a healthcare provider qualifies as a covered entity. It can also be a HIPAA violation to email medical records if more than the minimum necessary PHI is disclosed, or if the email system used to email medical records does not comply with the HIPAA Security Rule – although exceptions exist.

Because of the conditions for emailing medical records in compliance with HIPAA and the number of exceptions, it is important all members of the workforce receive HIPAA training on the applicable standards of the Privacy and Security Rules. Workforce members should also be told how to report an accidental HIPAA violation if an email containing medical records is sent to the wrong person or is sent to multiple persons without using the BCC function.

The Penalties for Emailing Medical Records in Violation of HIPAA

The penalties for emailing medical records in violation of HIPAA vary according to the nature of the violation, the number of individuals affected, the length of time a violation was allowed to continue, and the “scope” of the workforce member(s) responsible for the violation. An individual’s or organization’s previous compliance history and the length of time taken to notify a data breach can also be factors in determining the penalties for HIPAA violations.

For individuals and organizations that qualify as covered entities or business associates, the most common penalties for emailing medical records in violation of HIPAA are technical assistance and corrective action plans. However, HHS Office for Civil Rights can also impose financial penalties ; and, in December 2023, the agency announced its first settlement for the failure to protect PHI against phishing emails (Lafourche Medical Group – $480,000).

For members of a covered entity’s or business associate’s workforce, the penalties for emailing medical records in violation of HIPAA are imposed per the workplace sanctions policy, unless the workforce member has emailed medical records “out of scope” of their workplace duties. In out of scope cases, the workplace member can be reported to a law enforcement agency and charged with violating §1177 of the Social Security Act – which carries a prison term of up to ten years.

Due to the potential for accidental violations – or violations attributable to a lack of knowledge – covered entities, business associates, and workforce members of both are advised to ensure they understand the requirements for HIPAA compliant email. Covered entities and business associates who require further information about when is it a HIPAA violation to email medical records should seek advice from a HIPAA compliance professional.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]