Healthcare entities require a means to easily share protected health information (PHI). When sending PHI it is imperative to keep HIPAA requirements in mind. The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards for creating, storing, and maintaining of PHI, including HIPAA requirements for sending PHI.
The most convenient means of sending PHI is via email, however when sending PHI through email, organizations must have proper protections in place. The best way to protect email communications is through encryption. Encryption masks data by translating it into text that is unreadable without a decryption key.
Most professional versions of email services offer encryption as part of their package. However, encrypting PHI is not enough. Before sending PHI using email, it is essential to verify the identity of the person receiving the email to ensure that they are permitted to receive the PHI. In addition, there must be means to revoke access to the PHI if the email was sent to the wrong person, or if access to PHI data is no longer necessary.
- Fax
Faxing PHI is permitted under certain circumstances. Sending PHI via fax is a similarly easy way to share patient data quickly. HIPAA law requires that access to PHI is only given to authorized individuals that need access to perform a job function. As such, fax machines must be kept in a locked area, limiting the risk of access by unauthorized individuals.
Additionally, faxes should not be automatically printed. Faxes that automatically print pose the risk of being viewed by individuals that are not permitted to view PHI. Faxes containing PHI should be stored in the memory of the fax machine until it can be printed by an authorized user.
- U.S. Mail
When sending PHI via U.S. mail, it is not permitted to use the regular mailing service. At a minimum, PHI must be sent through first class postal mail according to HIPAA. However, under some circumstances PHI must be sent using certified mail. Certified mail requires recipients to sign for it, as such it can only be delivered to the intended recipient. Certified mail can also be tracked ensuring that PHI is not accessed by unauthorized individuals.
Sending PHI: Business Associate Agreement
Before it is permitted to fax or email PHI, healthcare organizations must have a signed business associate agreement (BAA) with their providers. When using email or fax to send PHI, the data is stored on their servers, which gives them the means to access the data. A BAA limits the liability for both parties as it states that each organization agrees to be HIPAA compliant, and each are responsible for their own compliance.
Sending PHI: HIPAA Conduit Exception Rule
When sending PHI through U.S. mail, a BAA is not required. Mail couriers are considered conduits under HIPAA law as they do not have means to access PHI sent through their service.
HIPAA Requirements for Sending PHI
When choosing a method to send PHI, healthcare entities must look to HIPAA requirements to ensure that they are sending PHI in a HIPAA compliant manner. Email must be encrypted, faxes must be stored in the machines memory, and U.S. mail must be sent through first class mail. Lastly, there must be signed BAAs with email and fax machine vendors.