Is it safe to send medical records by email? It’s an important question. Over the last decade, data breaches in the healthcare industry have increased at a steady rate, with over 268 million records exposed as a result of cyberattacks since 2009.
(Image source: hipaajournal.com)
Healthcare security has become one of the most pressing issues in the healthcare sector. In general, IT experts must regularly deal with medical data security concerns because of HIPAA Rules and the trouble that healthcare data breaches may cause.
Healthcare professionals must apply the HIPAA Security and HIPAA Privacy Rules and cybersecurity solutions to their email communication channels to minimize security exposures and prevent cyberattacks.
It's important to note that the Health Insurance Portability and Accountability Act (HIPAA) allows medical practitioners to send records by email. However, the medical company must apply reasonable safeguards to protect the patient's privacy.
Good security practices begin with understanding the HIPAA data security rules that apply to electronic Protected Health Information (ePHI).
Below, we examine HIPAA mailing guidelines for sending PHI, provide a few HIPAA violation email examples and answer some frequently asked questions regarding emailing patient records.
HIPAA Security Rules for Sending Medical Records
According to HIPAA, medical practitioners and covered entities should fulfill patients' requests to access their medical records via email. Specifically, the HIPAA rule 45 CFR § 164.524 states that:
"The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual."
When a patient requests their medical data via email, the medical practice must promptly provide this information. Refusal to do so attracts legal penalties.
HIPAA medical records release laws include:
- The department of Health and Human Services (HHS) provides that individuals have a right to receive their Personal Health Information (PHI) via email upon request from the patient.
- Additionally, medical practitioners or covered entities should transfer PHI via email in a manner that does not expose their systems to security risks. If the medical company cannot send PHI via email, they should provide alternatives to send the patient's data.
- Medical practices are required to apply reasonable safeguards to protect a patient's PHI while sending the data by email.
- Individuals have the right to access their health records through unencrypted email upon request. The medical company must provide a security warning to notify the patient that their data is at risk and confirm whether they still want to receive it via unencrypted communication channels.
Transfer of Medical Records Between Doctors
Another aspect of sending medical records by email is the transfer of medical records between doctors. This usually happens when patients switch doctors and require their data sent to their new practitioner via email.
In such circumstances, the medical provider has a right to disclose your health information to the new practitioner. However, once again, files must be shared safely and securely in full compliance with the HIPAA Security Rule.
HIPAA Violation Email Example
A HIPAA compliant email meets the standards for sending patient data via electronic channels. Practitioners must ensure that emails containing patient records meet regulatory standards to avoid violations and penalties. The following HIPAA violation email examples will help you steer away from some common pitfalls.
The Patient Has Not Given Written Consent
A HIPAA compliant email must explicitly make the patient aware of the security risks inherent in sending emails containing medical information. Additionally, practitioners should discuss more secure communication alternatives with their patients.
Moreover, HIPAA requires that the patient give consent or state their preference to using email as the preferred option to receive their medical records. Finally, the medical practitioner should document the patient's consent.
Emailing Someone Other Than the Patient
You may have a patient's permission to email about their PHI, but that permission does not extend to your communications with other healthcare providers. Any contact with anybody other than the patient or their designated third parties should be in full accordance with all elements of HIPAA.
Lack of Technical Safeguards
The HIPAA regulations devote substantial attention to certain technical safeguards that should be in place for systems that interact with electronic PHI. While not all of these security measures are legally required, standard email fails to meet even a modest interpretation of the criteria.
How to Send Medical Records Electronically
Physicians can send medical records via email or fax. HIPAA requires medical practitioners to provide access to electronic personal health information at no cost. Additionally, practitioners should provide a timeline for when the patient can receive their medical information.
It is safe to send medical records by email provided you comply with HIPAA rules of sending medical records electronically to avoid data breaches and HIPAA violations.
How Can Central Data Storage Help You?
At Central Data Storage (CDS), downloading and completing our free HIPAA Compliance Checklist can give you total peace of mind in ensuring you are entirely HIPAA compliant while sending medical records via email. By following our simple step-by-step guide, you will be able to analyse your file transfers to make sure you are meeting all necessary requirements.
In addition, our Encrypted Sharing solution provides secure messaging (PHI communications) and file sharing for your business. Simple, real-time HIPAA compliant messaging and document sharing.