It is not a violation of HIPAA to email medical records as long as the reason for emailing PHI is a required, permissible, or excepted reason under the Privacy Rule, as long as the disclosure of PHI complies with the minimum necessary standard (where applicable), and as long as the service used to email medical records is HIPAA compliant.
The challenge of emailing medical records in compliance with HIPAA is that there are a number of criteria that have to be met and multiple exceptions to the criteria. If a covered entity, a business associate, or a member of either’s workforce is unaware of the criteria – or fails to account for the exceptions – it could be a violation of HIPAA to email medical records.
When is Emailing Patient Records Permitted by HIPAA?
Emailing patient records is permitted by HIPAA when the transmission of Protected Health Information (PHI) is required or permitted by the Privacy Rule. Required disclosures include those to HHS’ Office for Civil Rights and to the subject of the PHI. Permitted disclosures include those for treatment, payment, and healthcare operations, or disclosures required by law.
Exceptions to these criteria include when a healthcare provider does not qualify as a HIPAA covered entity or business associate, when medical records are deidentified for research, medical studies, or policy assessments, and when HHS’ Office for Civil Rights issues a Notice of Enforcement Discretion during a public health or extreme weather event.
When Does the Minimum Necessary Standard Apply?
Most permitted disclosures must comply with the minimum necessary standard. This standard requires that only the minimum necessary PHI is disclosed when emailing medical records to achieve the objective of the disclosure. In some circumstances, disclosing more than the minimum necessary PHI would make it a violation of HIPAA to email medical records.
Exceptions include, but are not limited to, when medical records are required for the treatment of a patient, when responding to a request from a patient for a copy of their medical records, and when a patient has authorized a disclosure of more than the minimum necessary PHI. The failure to comply with a patient access request or authorization is a violation of HIPAA.
When are Email Services HIPAA Compliant?
Email services are HIPAA compliant when measures have been implemented and configured to comply with the Administrative, Physical, and Technical Safeguards of the Security Rule. In addition, if a covered entity subscribes to a third party’s email service (i.e., Outlook) or a third party’s encryption service (i.e., Paubox), Business Associate Agreements must be in place.
Again there are exceptions. These include when a patient has initiated contact with a healthcare provider via a noncompliant email service and when a patient requests confidential communications via a compliant email service. In both cases, the patient should be warned of the risks, but it is the patient’s decision whether to continue communicating via email.
When is it a Violation of HIPAA to Email Medical Records?
Because of the exceptions, there is no straightforward answer to when is it a violation of HIPAA to email medical records. Covered entities and business associates must develop policies and procedures and train members of the workforce on when it is allowed to email medical records and when it is a violation of HIPAA to email medical records.
Workforce members should be told about the sanctions for violating workplace HIPAA email policies and also that if they violate HIPAA while performing an “out of scope” activity (i.e., an activity outside of the scope of their role), the violation could be escalated to law enforcement agencies and they could be prosecuted under §1177 of the Social Security Act.
Additional Considerations when Emailing Patient Records
While it may not be a HIPAA violation to email medical records, there are circumstances in which emailing medical records can be a violation of state law or other federal regulation. Many states now have privacy laws that preempt certain provisions of HIPAA; and, although some state laws exempt covered entities and/or business associates and/or PHI, it is not always clear who or what is exempted, or when provisions of state laws apply across state boundaries.
With regards to federal regulations, there are regulations in the Privacy Act, the Family Education Rights and Privacy Act (FERPA) and the Confidentiality of Substance Use Disorder Patient Records Regulations (42 CFR Part 2) that have more stringent privacy protections than HIPAA. Covered entities and business associates who are unaware what regulations apply to their activities or when it is a violation of HIPAA to email medical records should seek HIPAA compliance advice.
Photo credits: Sompoch; AdobeStock