HHS: Patients CAN receive unencrypted email with PHI under some circumstances

by Dan Gospe

In a recent clarification by the HHS, patients can receive unencrypted email containing their Protected Health Information (PHI) as long as a few measures are taken for compliance.

In these Guidelines from HHS, the patient has a right to obtain their records in their entirety.  If the patient formally requests these records in an unsecure manner, and there is a clear warning stating the lack of security measures on unencrypted email that the patient signs off on, then the Covered Entity is not on the hook for breach of that email.

From the HHS guideline:

In addition, except in the limited circumstance described below, covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.

Keep in mind, that this policy does not allow you to send unencrypted email willy-nilly.  Each time you send an unencrypted email to a patient, you must take these following actions so that you can remain in compliance:

1. The patient must request these records, in writing, with a signature.
2. The recipient’s email must be verified immediately prior to sending our the records.
3. The patient must have been warned, in writing, and accepted responsibility for their records to be sent in an unsecure manner.
4. The patient must provide a signature after receiving the records to close the loop, ensuring their receipt of the records.
5. Unencrypted Email can not be a standard of practice, but must be signed off on by each patient on each disclosure of PHI.

This does not apply to any PHI being sent from the provider to any other provider, lab, insurance company, etc.

This new clarification from HHS is important.  The idea behind it, is that patients may not have the technical ability to log into an encrypted system, and their right to their records is considered with the highest importance – it is your patients’ data, after all.

For more information on processing patient requests for release of records, the American Health Information Management Association (AHIMA) has guidance posted for review.

For more information about HIPAA, IT management, or PC security, browse our blog.