Your patient asked you to email them a copy of their medical records, but are you allowed to do this? Is it a HIPAA violation to email medical records? Well, that really depends on the circumstances.
Are You Using a HIPAA Compliant Email Provider?
You may not have considered this, but the provider you use to send patient emails matters. Not all email service providers are HIPAA compliant. While many email services are secure enough to be considered HIPAA compliant, a service provider must be willing to sign a business associate agreement (BAA) with users for the service to be HIPAA compliant. Most services will only sign a BAA with paid users.
Are Emails Encrypted?
When you email patients their medical records, those emails must be encrypted. It is important to note that, often, email encryption is a separate service from your regular business email package. Also, keep in mind that email subject lines cannot be encrypted, and you should never include patient information in this field.
Learn more about HIPAA compliant email encryption.
Has the Patient Consented to Receiving Email Communications?
Because of the security implications of sharing medical records through email, patients must explicitly consent to receiving information this way. Even though you are using an encrypted connection to send patient emails, it is more than likely that the patient cannot access encryption on their email account.
Before you can email a patient, it is your responsibility to warn them of the potential security implications of email, and to have written consent to email them. Patients also have the right to withdraw their consent at any time.
Can You Send Password Protected Email Attachments?
Sending medical records as an email attachment, say a password-protected file downloaded from an EMR, can be safer than sending the records in the body of an email. However, if the email is intercepted, or the email account receiving the file is compromised, an unauthorized party can easily access the file.
When sending email attachments, the email must still be encrypted. The password to open the file should also be sent through an alternative method, such as a text message, rather than to the same email address.
What About Appointment Reminders?
The rules for emailing patients appointment reminders are the same as for any other email containing protected health information (PHI). You need to use a HIPAA compliant email provider, encrypt the message, and have written consent from the patient.
HIPAA Violation Email Example
So, what is considered an email HIPAA violation?
Here are some email HIPAA violation examples:
- Lacking a signed business associate agreement with your email service provider
- Failing to use an email encryption service
- Not having patient authorization for email communications, but sending them an email anyway
- Including PHI in the subject line of your email
- Sending an email with PHI to the wrong patient
