HIPAA Mailing Medical Records to Patient: How Can I Send PHI?
The HIPAA Privacy Rule requires that healthcare providers apply reasonable safeguards when mailing patient medical records containing protected health information.
The HIPAA mailing medical records to patient rules do not require that any one mailing service be used, nor do the HIPAA mailing medical records to patient rules prohibit the use of any one service. Transmitting paper or other tangible PHI by US Mail or delivery services such as UPS, FedEx, and DHL are permissible.
Under the HIPAA mailing medical records to patient rules, reasonable safeguards are safeguards that are appropriate and feasible under the circumstances. This means, for example, taking care to not overstuff envelopes, and ensuring that the name and address of a patient, and no other information, is on the envelope.
Providers who expose protected health information in mailings are subject to OCR fines. The disclosure of PHI on an envelope, even if made unintentionally, can result in fines.
Recently, two incidents were reported to OCR that illustrate the point. In one of the incidents, a third-party error resulted in details of HIV medications used by Aetna health plan members, being improperly disclosed. Although the letters were mailed in sealed envelopes, which is a reasonable safeguard, the envelopes contained plastic windows. The names of the medications were clearly visible through these windows. OCR found, in this instance, that reasonable safeguards were not taken to avoid PHI disclosure. Disclosure could have been avoided by not using a plastic window, or by using an envelope thick enough such that PHI could not be viewed unless the envelope was opened.
The emotional costs to affected patients were severe. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.
In another incident, Emblem Health sent a mailing in which the Social Security numbers of patients were accidentally printed on the outside of the mailing envelopes. This disclosure could have been avoided simply by inspecting the envelope to ensure PHI was not visible.
Government is not immune to these mistakes either. Recently, the Ohio Department of Mental Health and Addiction Services mailed a survey to patients on a postcard – instead of mailing letters in sealed envelopes. Because the contents of the postcard were visible, the fact that a patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.
Reasonable safeguards must be employed by an organization regardless of what kind of information is being mailed. Medical records, prescription records, appointment reminders, and patient surveys, all must be mailed using reasonable safeguards that ensure PHI is not visible.