Health Information Compliance Alert

Reader Question:

Can You Send Medical Records Via Email (Securely)?

Question: One of our patients has requested a copy of his medical records, and he wants us to send this via email. Our office staff is debating whether sending medical records as email attachments is allowed under the Security Rule and, if so, whether this is safe to do?


Answer:
Yes, you can send medical records via email — in fact, in most cases, you must send the records that way if the patient requests that you send them in that specific format.


One of the crucial changes in the HIPAA Omnibus Final Rule involved a mandate that if you keep protected health information (PHI) electronically, you must make that information available to an individual electronically if requested, according to
Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC.

The rule does not specify exactly what formats are permissible, but instead simply uses the term “electronically.” So this could mean that you provide the individual with his medical records on a flash drive, on a disc, or even via an email attachment.

So ultimately, your organization will need to decide how you will provide electronic access to PHI, Sheldon-Dean explains. Ideally, if you’re emailing PHI, you would need to encrypt the email content.

But what if the patient doesn’t want to deal with encryption? What if he wants you to just send his medical records in a “plain” email message?

According to the Privacy Rule, “people have a right to ask for information by alternative means or alternative locations,” Sheldon-Dean says. “And you have to accommodate reasonable requests in the form or format requested by the individual.”

So your basic responsibility is to go ahead and send the medical record to the individual in an unencrypted email as requested, but you need to also warn the patient about the risk of exposure, Sheldon-Dean states. Tell the patient: “You need to understand that emailing your medical information without encrypting the attachment can cause your information to be exposed. Do you understand that those risks exist, and are these risks acceptable to you?”

Bottom line: If the patient says he understands the risks and wants the information sent via an unencrypted email anyway, you can send it. The important thing is that you help the individual make an informed risk decision based on the impact and likelihood of the potential exposure risk, just like you would for any other situation that could cause a possible breach of PHI, Sheldon-Dean explains.