The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released new guidance that gives specific requirements for individuals' access to their health information under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA's Privacy Rule generally requires physicians and other health care providers to supply patients, upon their request and in a format requested by the patient, with access to any health records about them that the covered entity maintains.
The guidance clarifies the parameters of the patient access rule and includes frequently asked questions that specifically address the following:
- The scope of information covered by HIPAA's access right and the very limited exceptions to this right
- The form and format in which information is provided to individuals
- The requirement to provide access to patients in a timely manner
- The intersection of HIPAA's right of access with the requirements for patient access under the Health Information Technology for Economic and Clinical Health (HITECH) Act's electronic health record (EHR) incentive program
Many of the FAQs addressed in the new guidance are around the use electronic methods of transmitting information to the patient. Secure messaging through a portal, Direct messaging, unencrypted email are all highlighted. Many physicians are unaware that they may have a Direct Secure Messaging account available through their EHR. As patients begin to use these accounts as well, a physician may be asked to provide the patients information via this secure messaging service. Direct is a secure email-like communications channel that enables providers to communicate with each other -- as well as with patients and other caregivers -- in a secure, HIPAA-compliant way. All messages are encrypted and require authentication to send and receive. Physicians can access Direct from within most popular EHRs. Direct can facilitate the exchange of patient medical records in a standardized manner, this includes formatted and unformatted data, as well as large files such as radiologic studies and diagnostic images.
With the clarification the new guidance provides, it is important to take a close look at how prepared you are to meet some of the requests from patients for their information. Talk with your EHR vendor to see how you will be able to meet these requests in a timely manner, while ensuring all information is kept protected and secure.
Below are some FAQs answered by MSMS Legal Counsel, and coming soon, a more in-depth guide on communicating with patients electronically.
Are physicians and other health care providers required to have the capability to transmit PHI by email as well as by mail?
The government expects all HIPAA covered entities, including physicians, to have the capability to transmit PHI not only by mail, but also by e-mail except in the limited case where e-mail cannot accommodate the file size of requested images.
Does an individual have the right under HIPAA to require a physician or other health care provider to transmit PHI in a designated record set to the individual or a designated third-party by unsecured/unencrypted email?
Yes, but only if the individual has requested that the PHI is sent by unsecured/unencrypted e-mail and has been warned of and accepts the risks that the PHI in the email could be read by a third-party. Under these circumstances, the individual has the right under HIPAA to have PHI transmitted in an unsecure manner, and the physician or other provider is not responsible under HIPAA for breach notification or liable for disclosures that occur in transmission. Further, the physician or other provider is not liable under HIPAA for what happens to the PHI once the individual or designated third-party receives the PHI. As in all instances in which an idividual requests access to or copies of PHI, the individual’s request must be in writing, signed and dated. It should state that the individual has requested that the PHI be sent by unsecured/unencrypted e-mail, include the receipient's e-mail address, warn that the PHI in the email is unsecured and could be read by third-parties, and acknowledge the individual’s acceptance of the risks of the unsecured transmission.
Can physicians require patients to accept transmission by unencrypted email?
No. Under HIPAA, physicians and other health care providers are not permitted to require an individual to accept unsecure methods of transmission of PHI.
Does HIPAA permit physicians and other health care providers to exchange PHI between themselves via unsecured/unencrypted e-mail?
HIPAA does not per se mandate the use of secured/encrypted e-mail or prohibit the use of unsecured/unencrypted e-mail. As a practical matter, however, physicians and other health care providers will be exposed to violating HIPAA by using unsecured/unencrypted e-mail, except when requested by an authorized individual in the circumstances addressed above or possibly in limited exigent circumstances, such as medical emergencies. Usage of unsecured/unencrypted email should be addressed in the both the transmitting and receiving providers' respective HIPAA-required security risk assessments.