When Does HIPAA Require Providers to E-mail Patients? Additional Guidance

On January 7, 2015, the Office of Civil Rights (OCR) for the Department of Health and Human Services (HHS) posted a new fact sheet and list of FAQs on the issue of individuals’ access rights under the HIPAA.

This document addresses numerous issues associated with the patient’s right to receive copies of their medical information that is kept in a “designated record set” and also provides additional guidance on the issue of emailing patients upon the patient’s request.

HIPAA gives patients the right to request copies of their protected health information in a “form or format” of their choosing, including the transmission of protected health information by unencrypted email.

OCR further noted in this guidance that “covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission).”

However, OCR made clear that an individual cannot be required to accept unsecure methods of transmission.

The key takeaways from this guidance for providers are:

  • Covered entities have an obligation to secure PHI in transit and must protect PHI when it is in the covered entity’s system
  • However, if a patient specifically requests to receive PHI to an unsecured email under the HIPAA “right of access”, then the covered entity must comply with the request but also must inform the patient of the risks associated with the unsecured transmission.
  • The warning to the patient should inform the patient that there is a risk that the information could be read or otherwise accessed by a third party while in transit and confirm that the patient still wants to receive the information in this manner despite the risk.
  • Covered entities are not responsible for the interception of information once it has left the covered entity’s system only in this limited circumstance (where the patient specifically requests access by unsecured means).


Speak Your Mind