Question: If a patient wishes to have test results sent to him via e-mail and has signed a consent form for this communication with the understanding that our office does not encrypt the message, are we still permitted to send this information along to him? Do we have any other responsibilities under HIPAA in regard to this request?
Answer: In this type of a situation, it would be advisable to have the patient sign an authorization to disclose protected health information via e-mail, says Laura Scallion, president and CEO of AllSource Technical Solutions, Inc in Portland, OR. "The authorization should include language that clearly informs the patient that e-mail is not encrypted and the Internet is not secure. If the patient authorizes, it's permissible to send the results via e-mail," she notes.
Now, as far as when you should have the patient sign this authorization form, Scallion advises entities to provide it to the patient only upon request. "Some people still have no idea what to do or how to use e-mail, so if it's included at sign-in, they would be signing something they knew nothing about - it would cost more time involvement for the admitter in explanation of what they are signing," she says.
The Bottom Line: You are permitted to send non-encrypted documents containing PHI to patients via e-mail as long as you first obtain a signed authorization from the patient explaining that transmissions sent over the Internet have vulnerabilities or are not 100 percent secure.