DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
Under certain circumstances, the HIPAA right of access rule allows for providers to send ePHI to patients in an unencrypted fashion. This article covers when, generally, sending unencrypted texts or emails containing PHI is permitted under that rule.
Under What Circumstances May a Provider Send an Unencrypted Email or Text?
Consider two scenarios:
Scenario 1: A patient requests their own PHI from their provider, for the patient’s personal use.
Scenario 2: A patient requests that their provider send the patient's PHI to another doctor or another individual.
Scenario #1: Generally, under the HIPAA "right of access rule," an individual has a right to receive a copy of their PHI by unencrypted email or text if the individual requests access in this manner. In such cases, the covered entity, before transmitting the ePHI to the patient, should provide a warning to the individual that the transmission is not secure, and that there is some level of risk that the individual’s ePHI could be read or otherwise accessed by a third party while in transit. If the warning is provided in writing, the provider should consider having the patient sign the warning - that is, provide written consent to the transmission. Then the provider may send the transmission to the patient. If a written warning is not provided, and the warning is instead provided verbally, verbal consent should be documented.
Say, for argument’s sake, that the unencrypted email is intercepted in transit. Is the covered entity liable? Generally, no. While covered entities are responsible for adopting reasonable safeguards in implementing the individual’s request (e.g., entering the correct email address and not the address of a different patient), covered entities are not responsible for an interception of PHI in transit to the individual, if the disclosure was made in response to an individual’s access request to receive the ePHI in an unsecured manner (assuming the individual was warned of and accepted the risks associated with the unsecured transmission, as described above).
Scenario #2: In scenario #2, the patient makes a request to their provider that his or her ePHI be sent from that provider to another doctor. The general rule here: If the patient requests that the PHI be sent to another doctor by unencrypted email or in another unsecured manner, the covered entity generally must comply with the request. The request to have the ePHI sent to the other doctor is viewed by HHS as an extension of the patient’s right to access his or her own PHI. Before sending the ePHI, the covered entity must, as detailed above, provide a brief warning to the individual that there is some level of risk that the individual’s ePHI could be read or otherwise accessed by a third party while in transit, and confirm (either verbally, or in writing, as discussed above) that the individual wants to receive her ePHI by unencrypted email or text. Verbal consent should be documented. Once the patient provides the consent, the provider may send ePHI unsecurely to the other doctor.
In scenario #2, as long as the patient is warned of and accepts (in writing) the security risks to the PHI associated with the unsecured transmission, the covered entity (the patient's doctor) is not responsible for an interception of PHI that is in transit to the other doctor.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article