Have you ever asked your healthcare provider to send you medical records by email? Most likely, you’ve received the reply: “We can’t do that. We can only fax them to you or provide you with a paper copy.” This answer is wrong.
HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides:
The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.
Further, HIPAA provides:
[I]f the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
Let’s say that you want your medical records emailed to you. Your healthcare providers says that it will only provide records to you in person or via fax. But who really has fax machines these days? This technology went out with the dinosaurs. You don’t want to trek down to the facility, so you insist on the records being emailed to you. You are told that there’s a policy against emailing medical records because it is too insecure — doing so would violate HIPAA.
But the truth is the other way around. HIPAA requires that the patient request be granted — even if insecure (though there are easy ways to send documents securely via email).
HHS’s guidance provides the following concrete examples — I’ve bolded the most important points:
[I]ndividuals generally have a right to receive copies of their PHI by mail or e-mail, if they request. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI once it has left the systems. Thus, a covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests the copy be mailed or e-mailed. In the limited case where a covered entity is unable to e-mail the PHI as requested, such as in the case where diagnostic images are requested and e-mail cannot accommodate the file size of the images, the covered entity should offer the individual alternative means of receiving the PHI, such as on portable media that can be mailed to the individual.
Further, while covered entities are required by the Privacy and Security Rules to implement reasonable safeguards to protect PHI while in transit, individuals have a right to receive a copy of their PHI by unencrypted e-mail if the individual requests access in this manner. In such cases, the covered entity must provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted e-mail. If the individual says yes, the covered entity must comply with the request. . . .
Note that while an individual can receive copies of her PHI by unsecure methods if that is her preference, as described in more detail above, a covered entity is not permitted to require an individual to accept unsecure methods of transmission in order to receive copies of her health information.
It seems to me that in today’s day and age, it should be easy for healthcare providers to send medical records to patients via encrypted email. Or, the documents could readily be encrypted, thus protecting them in the event the email is improperly intercepted or sent to the wrong recipient. This would be a lot more convenient for the patient as well as offer more security than a fax. If a fax is sent to the wrong person, the medical records will be exposed to unauthorized individuals. So, email is not only a much more modern way to send records, but also a more secure way if used properly.
Unfortunately, far too often, healthcare providers lack a rudimentary knowledge of HIPAA, especially their obligations to provide patients with access to their PHI.
Additional Blog Posts on this Topic
The Persistent Problems of Patient Access to Records Under HIPAA
HIPAA’s Failure to Provide Enough Patient Control Over Medical Records
HIPAA’s Friends and Family Network: Access to Health Information
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the International Privacy + Security Forum (Apr. 3-5, 2019 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.