Common Privacy Questions
Does HIPAA apply to me?
HIPAA applies to “covered entities” which include health care practitioners, health plans and health care clearing houses. Since 2013, HIPAA also directly applies to the “Business Associates” of “covered entities.”
One of the most misunderstood concepts relate to practitioner use of paper versus electronic records. Practitioners who do not use electronic patient records often declare themselves free of HIPAA requirements. Even if true, other laws would impose the same standards that HIPAA imposes so it is often a foolish excercise.
First, avoiding electronic health records is not the same as avoiding the regulatory definition that would require a practitioner to avoid “certain transactions in electonic form. The term is broadly defined to include electronic billing, electronic verification of health plan coverage, benefit and eligibility questions, and other electronic communications about treatment and payment for care.
Here is an HHS chart to help you decide if you are a covered entity.
If the practitioner has engaged in any covered electronic transactions then the rules apply to both paper and electronic records.
Other state, federal, and local laws govern health information privacy and would apply even in the absence of a HIPAA standard.
Do I need my own HIPAA Policies and Procedures?
Yes, when you distribute your Notice of Privacy Practices, the Notice should reflect your policies and procedures. If you have none then you are telling patients about something you don’t have.
Questions About a Patient's Right to Access Information
May a health care practitioner deny an individual’s request for access because the individual has not paid for health care services provided to the individual?
No. A covered entity may not withhold or deny an individual access to her PHI on the grounds that the individual has not paid the bill for health care services the covered entity provided to the individual.
Can I limit a patient's access to paper records or to electronic records?
No. An individual has a broad right under the HIPAA Privacy Rule to access the PHI about the individual in all “designated record sets” maintained by or for a covered entity, whether in electronic or paper form, not just the designated record set that comprises the “medical record.” See 45 CFR 164.524(a). (However, if the same PHI is maintained in more than one designated record set, a covered entity need only produce the information once in response to a request for access.)
A designated record set also includes billing and payment records, claims and insurance information, as well as other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
Should I make everyone sign a HIPAA authorization when they want to exercise their right to access health information and send information to a third party?
No. The PHI that an individual wants to have disclosed to a third party under the HIPAA right of access also could be disclosed if the third party obtained a valid HIPAA authorization. However, there are differences between the two methods. The primary difference is that the individual’s request to access his own records is a required disclosure and the other one is a permitted disclosure. The “right of access” is usually a more favorable choice for individual asking for her own records. Below are the differences between the two types of disclosure requests:
|HIPAA Authorization||Right of Access|
|Permits, but does not require, a covered entity to disclose PHI||Requires a covered entity to disclose PHI, except where an exception applies|
|Requires a number of elements and statements, which include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.||Must be in writing, signed by the individual, and clearly identify the designated person and where to the send the PHI|
|No timeliness requirement for disclosing the PHI Reasonable safeguards apply (e.g., PHI must be sent securely)||Covered entity must act on request no later than 30 days after the request is received|
|Reasonable safeguards apply (e.g., PHI must be sent securely)||Reasonable safeguards apply, including a requirement to send securely; however, individual can request transmission by unsecure medium|
|No limitations on fees that may be charged to the person requesting the PHI; however, if the disclosure constitutes a sale of PHI, the authorization must disclose the fact of remuneration||Fees limited as provided in 45 CFR 164.524(c)(4)|
The Privacy Rule permits covered entities to disclose PHI for treatment, payment and health care operations without the need to first obtain an individual’s authorization or receive an access request by the individual to have the individual’s PHI directed to a third party for such purposes. See 45 CFR 164.506.
As a result, if an individual is seeking to have her PHI shared among her treating providers, the covered entities can and should do so; the individual should not have to facilitate this transmission by submitting an access request (and potentially having to wait up to 30 days for the information to be sent and be charged a fee) or by executing a HIPAA authorization.
See the Fact Sheets on Understanding Some of HIPAA’s Permitted Uses and Disclosures at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/permitted-uses/index.html.
Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party?
Yes. If requested by an individual, a covered entity must transmit an individual’s PHI directly to another person or entity designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524(c)(3)(ii). A covered entity may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.
The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity.
For example, just as when the individual requests a copy for herself, a covered entity cannot require that an individual travel to the covered entity’s physical location to request the individual’s PHI be sent to a person or entity designated by the individual.
The individual can also designate the form and format of the PHI and how the PHI is to be sent to the third party, and the covered entity must provide access in the requested form and format and manner if the PHI is “readily producible” in such a way. Whether PHI is “readily producible” depends on the capabilities of the covered entity and whether transmission or transfer of the PHI in the requested manner would present an unacceptable level of security risk to the PHI on the covered entity’s systems (based on the covered entity’s Security Rule risk analysis).
The following are just a few examples of how these provisions apply:
- A patient requests in writing that the hospital where she recently underwent a surgical procedure use its Certified EHR Technology (CEHRT) to send her discharge summary to her primary care physician, or to her own personal health record, and she supplies the corresponding Direct address (an electronic address for securely exchanging health information using the Direct technical standard).
- A patient sends a written request to his long-time physician asking the physician to download a copy of the PHI from his electronic medical record, and e-mail it in encrypted form to XYZ Research Institution, at XYZResearch@anywhere.com, so XYZ Research Institution can use his health information for research purposes.
- A patient requests in writing that her ob-gyn digitally transmit records of her latest pre-natal visit to a new pregnancy self-care app that she has on her mobile phone. The ob-gyn’s EHR has the ready capability to establish the connection in a manner that does not present an unacceptable level of security risk to the PHI in the EHR or other of the ob-gyn’s systems, based on the ob-gyn’s Security Rule risk analysis.
In each of these three examples, the covered entity has the capability to transfer the PHI in the requested manner and doing so would not present an unacceptable level of security risk to the PHI in the covered entity’s systems. Thus, after receiving the patient’s written request, the covered entity has 30 days (or 60 days if an extension is applicable) to send the PHI to the designated recipient as directed by the individual. However, in most cases, it is expected that the use of technology will enable the covered entity to fulfill the individual’s request in far fewer than 30 days.
Questions about the Format of Disclosure
If an individual requests an electronic copy of the individual’s PHI that the covered entity maintains only on paper, is the covered entity required to scan the paper records to create an electronic copy of the PHI for the individual?
While a covered entity is not required to purchase a scanner to create electronic copies, if a covered entity can readily produce an electronic copy of the PHI for the individual by scanning the records, it must do so. In particular, if an individual requests an electronic copy of PHI in a specific format, and a covered entity maintains that PHI only on paper, the covered entity must provide the individual with the electronic copy, in the format requested, if the copy is readily producible electronically and readily producible in the electronic format requested. If the copy is readily producible electronically but not in the specific format requested, the covered entity may offer the individual the copy in an alternative readable electronic format. If the copy is not readily producible in electronic form, or the individual declines to accept the electronic format(s) that are readily producible by the covered entity, then the covered entity may provide the individual with a readable hard copy of the PHI to satisfy the access request. See § 164.524(c)(2)(i). For example, a covered entity that maintains the requested PHI only on paper may be able to readily produce a scanned PDF version of the PHI but not the requested Word version. In this case, the covered entity may provide the individual with the PDF version if the individual agrees to accept the PDF version. If the individual declines to accept the PDF version, or if the covered entity is not able to readily produce a PDF or other electronic version of the PHI, the covered entity may provide the individual with a hard copy, such as a photocopy, of the PHI.
Questions About Fees Charged for Medical Records
May a covered entity charge individuals a fee for providing the individuals with a copy of their PHI?
Yes, but only within specific limits. The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form. Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. Labor for copying does not include costs associated with reviewing the request for access; or searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record, and segregating or otherwise preparing the PHI that is responsive to the request for copying.
- While it has always been prohibited to pass on to an individual labor costs related to search and retrieval, our experience in administering and enforcing the HIPAA Privacy Rule has shown there is confusion about what constitutes a prohibited search and retrieval cost and this guidance further clarifies this issue. This clarification is important to ensure that the fees charged reflect only what the Department considers “copying” for purposes of applying 45 CFR 164.524(c)(4)(i) and do not impede individuals’ ability to receive a copy of their records.
- Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media. However, a covered entity may not require an individual to purchase portable media; individuals have the right to have their PHI e-mailed or mailed to them upon request.
- Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.
- Postage, when the individual requests that the copy, or the summary or explanation, be mailed.
Thus, costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling the access request (e.g., verification, ensuring only information about the correct individual is included, etc.) and other costs not included above, even if authorized by State law, are not permitted for purposes of calculating the fees that can be charged to individuals. See 45 CFR 164.524(c)(4).
Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.
What labor costs may a covered entity include in the fee that may be charged to individuals to provide them with a copy of their PHI?
A covered entity may include reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.
Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied. For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:
- Photocopying paper PHI.
- Scanning paper PHI into an electronic format.
- Converting electronic information in one format to the format requested by or agreed to by the individual.
- Transferring (e.g., uploading, downloading, attaching, burning) electronic PHI from a covered entity’s system to a web-based portal (where the PHI is not already maintained in or accessible through the portal), portable media, e-mail, app, personal health record, or other manner of delivery of the PHI.
- Creating and executing a mailing or e-mail with the responsive PHI.
While HHS allows labor costs for these limited activities, we note that as technology evolves and processes for converting and transferring files and formats become more automated, HHS expects labor costs to disappear or at least diminish in many cases.
In contrast, labor for copying does not include labor costs associated with:
- Reviewing the request for access.
- Searching for, retrieving, and otherwise preparing the responsive information for copying. This includes labor to locate the appropriate designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile, and otherwise prepare the responsive information for copying.
May a covered health care provider charge a fee under HIPAA for individuals to access the PHI that is available through the provider’s EHR technology that has been certified as being capable of making the PHI accessible?
No. The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Where an individual requests or agrees to access her PHI available through the View, Download, and Transmit functionality of the CEHRT, HHS believes there are no labor costs and no costs for supplies to enable such access. Thus, a covered health care provider cannot charge an individual a fee when it fulfills an individual’s HIPAA access request using the View, Download, and Transmit functionality of the provider’s CEHRT.
May a covered entity that uses a business associate to act on individual requests for access pass on the costs of outsourcing this function to individuals when they request copies of their PHI?
No. A covered entity may charge individuals a reasonable, cost-based fee that includes only labor for copying the PHI, costs for supplies, labor for creating a summary or explanation of the PHI if the individual requests a summary or explanation, and postage, if the PHI is to be mailed. See 45 CFR 164.524(c)(4). Administrative and other costs associated with outsourcing the function of responding to individual requests for access cannot be the basis for any fees charged to individuals for providing that access.
Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
Yes. When an individual requests access to her PHI and the covered entity intends to charge the individual the limited fee permitted by the HIPAA Privacy Rule for providing the individual with a copy of her PHI, the covered entity must inform the individual in advance of the approximate fee that may be charged for the copy.
An individual has a right to receive a copy of her PHI in the form and format and manner requested, if readily producible in that way, or as otherwise agreed to by the individual. Since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of her PHI.
The failure to provide advance notice is an unreasonable measure that may serve as a barrier to the right of access. Thus, this requirement is necessary for the right of access to operate consistent with the HIPAA Privacy Rule.
Further, covered entities should post on their web sites or otherwise make available to individuals an approximate fee schedule for regular types of access requests. In addition, if an individual requests, covered entities should provide the individual with a breakdown of the charges for labor, supplies, and postage, if applicable, that make up the total fee charged. HHS notes that this information would likely be requested in any action taken by OCR in enforcing the individual right of access, so entities will benefit from having this information readily available.
How can covered entities calculate the limited fee that can be charged to individuals to provide them with a copy of their PHI?
The HIPAA Privacy Rule permits a covered entity to charge a reasonable, cost-based fee for individuals (or their personal representatives) to receive (or direct to a third party) a copy of the individuals’ PHI. In addition to being reasonable, the fee may include only certain labor, supply, and postage costs that may apply in providing the individual with the copy in the form and format and manner requested or agreed to by the individual. A covered entity may calculate this fee in three ways.
- Actual costs. A covered entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. The covered entity may add to the actual labor costs any applicable supply (e.g., paper, or CD or USB drive) or postage costs. Covered entities that charge individuals actual costs based on each individual access request still must be prepared to inform individuals in advance of the approximate fee that may be charged for providing the individual with a copy of her PHI. An example of an actual labor cost calculation would be to time how long it takes for the workforce member of the covered entity (or business associate) to make and send the copy in the form and format and manner requested or agreed to by the individual and multiply the time by the reasonable hourly rate of the person copying and sending the PHI. What is reasonable for purposes of an hourly rate will vary depending on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the individual (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format).
- Average costs. In lieu of calculating labor costs individually for each request, a covered entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee (e.g., labor costs for copying but not for search and retrieval) and are reasonable. Covered entities may add to that amount any applicable supply (e.g., paper, or CD or USB drive) or postage costs.
- This standard rate can be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the individual requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. Per page fees are not permitted for paper or electronic copies of PHI maintained electronically. HHS is aware that per page fees in many cases have become a proxy for fees charged for all types of access requests – whether electronic or paper – and that many states with authorized fee structures have not updated their laws to account for efficiencies that exist when generating copies of information maintained electronically. This practice has resulted in fees being charged to individuals for copies of their PHI that do not appropriately reflect the permitted labor costs associated with generating copies from information maintained in electronic form. Therefore, the Office of Civil Rights (OCR) does not consider per page fees for copies of PHI maintained electronically to be reasonable for purposes of 45 CFR 164.524(c)(4).
- Flat fee for electronic copies of PHI maintained electronically. A covered entity may charge individuals a flat fee for all standard requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.
Are costs authorized by State fee schedules permitted to be charged to individuals when providing them with a copy of their PHI under the HIPAA Privacy Rule?
No, except in cases where the State authorized costs are the same types of costs permitted under 45 CFR 164.524(c)(4) of the HIPAA Privacy Rule, and are reasonable. The bottom line is that the costs authorized by the State must be those that are permitted by the HIPAA Privacy Rule and must be reasonable.
The HIPAA Privacy Rule at 45 CFR 164.524(c)(4) permits a covered entity to charge a reasonable, cost-based fee that covers only certain limited labor, supply, and postage costs that may apply in providing an individual with a copy of PHI in the form and format requested or agreed to by the individual. Thus, labor (e.g., for search and retrieval) or other costs not permitted by the Privacy Rule may not be charged to individuals even if authorized by State law.
Further, a covered entity’s fee for providing an individual with a copy of her PHI must be reasonable in addition to cost-based, and there may be circumstances where a State authorized fee is not reasonable, even if the State authorized fee covers only permitted labor, supply, and postage costs.
For example, a State-authorized fee may be higher than the covered entity’s cost to provide the copy of PHI. In addition, many States with authorized fee structures have not updated their laws to account for efficiencies that exist when generating copies of information maintained electronically. Therefore, these State authorized fees for copies of PHI maintained electronically may not be reasonable for purposes of 45 CFR 164.524(c)(4).
A State law requires that a health care provider give individuals one free copy of their medical records but HIPAA permits the provider to charge a fee. Does HIPAA override the State law?
No. The health care provider must comply with the State law and provide one free copy. In contrast to State laws that authorize higher or different fees than are permitted under HIPAA, HIPAA does not override those State laws that provide individuals with greater rights of access to their health information than the HIPAA Privacy Rule does. See 45 CFR 160.202 and 160.203.
This includes State laws that: (1) prohibit fees to be charged to provide individuals with copies of their PHI; or (2) allow only lesser fees than what the Privacy Rule would allow to be charged for copies.
When do the HIPAA Privacy Rule limitations on fees that can be charged for individuals to access copies of their PHI apply to disclosures of the individual’s PHI to a third party?
The fee limits apply when an individual directs a covered entity to send the PHI to the third party.
Under the HIPAA Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request. See 45 CFR 164.524(c)(4). This limitation applies regardless of whether the individual has requested that the copy of PHI be sent to herself, or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).
To direct a copy to a third party, the individual’s access request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524(c)(3)(ii). Thus, written access requests by individuals to have a copy of their PHI sent to a third party that include these minimal elements are subject to the same fee limitations in the Privacy Rule that apply to requests by individuals to have a copy of their PHI sent to themselves. This is true regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual (such as by an app being used by the individual). Further, these same limitations apply when the individual’s personal representative, rather than the individual herself, has made the request to send a copy of the individual’s PHI to a third party.
In contrast, third parties often will directly request PHI from a covered entity and submit a written HIPAA authorization from the individual (or rely on another permission in the Privacy Rule) for that disclosure. Where the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization (or pursuant to another permissible disclosure provision in the Privacy Rule), the access fee limitations do not apply. However, as described above, where the third party is forwarding – on behalf and at the direction of the individual – the individual’s access request for a covered entity to direct a copy of the individual’s PHI to the third party, the fee limitations apply.
We note that a covered entity (or a business associate) may not circumvent the access fee limitations by treating individual requests for access like other HIPAA disclosures – such as by having an individual fill out a HIPAA authorization when the individual requests access to her PHI (including to direct a copy of the PHI to a third party). A HIPAA authorization is not required for individuals to request access to their PHI, including to direct a copy to a third party – and because a HIPAA authorization requests more information than is necessary or that may not be relevant for individuals to exercise their access rights, requiring execution of a HIPAA authorization may create impermissible obstacles to the exercise of this right.
Where it is unclear to a covered entity, based on the form of a request sent by a third party, whether the request is an access request initiated by the individual or merely a HIPAA authorization by the individual to disclose PHI to the third party, the entity may clarify with the individual whether the request was a direction from the individual or a request from the third party.
Finally, disclosures to a third party made outside of the right of access under other provisions of the Privacy Rule still may be subject to the prohibition against sales of PHI (i.e., the prohibition against receiving remuneration for a disclosure of PHI at 45 CFR 164.502(a)(5)(ii)). Where the prohibition applies, a covered entity may charge only a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI or a fee otherwise expressly permitted by other law or must have received a HIPAA authorization from the individual that states that the disclosure will involve remuneration to the covered entity.
Common Security Questions
Can I use email to communicate with patients?
Yes, the Privacy Rule allows covered practitioners to communicate electronically, such as through email, with their patients, provided they use reasonable safeguards. See 45 C.F.R. § 164.530(c).
You must take steps to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message. While the Privacy Rule does not prohibit the use of unencrypted email, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email. In addition, practitioners will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Remember too that an individual has the right to request and have a practitioner communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a practitioner should accommodate a patient’s request to receive appointment reminders via email, rather than on a postcard, if email is a reasonable, alternative means for that practitioner to communicate with the patient. However, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, the practitioner should offer more secure electronic methods, mail or telephone.
Patients may initiate communications with a practitioner using email. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the practitioner can alert the patient of those risks, and let the patient decide whether to continue email communications.
Remember, the patient has the right to privacy and the practitioner has an obligation to protect that privacy. Just because a patient uses poorly secured methods of communication does not absolve the practitioner of responsibilities under HIPAA and state laws. When in doubt, obtain the patient’s signed consent to use the patient’s preferred means of communication such as public, unencrypted email accounts. Practitioners should not initiate unsecure email without prior notice and consent to the patient.
You can have your information technology person or other email “guru” review this NIST technical document on Email security.
What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party?
Covered entities may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient.
However, covered entities must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity’s system.
For example, while a covered entity is not required to confirm that the individual provided the correct Email address of the third party, the covered entity is required to have reasonable procedures to ensure that it correctly enters the provided Email address into the covered entity’s system.
In addition, covered entities must safeguard the information in transit and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted Email or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.
The covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Do individuals have the right to have their PHI transmitted in the manner they request, even if the transmission would be unsecure?
Yes. As long as the PHI is “readily producible” in the manner requested and the covered entity has the capability to providing the information in the manner requested.
Individuals generally have a right to receive copies of their PHI email even though there may be security risks to the PHI once it has left the covered entity’s systems. A covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests the copy be mailed or emailed. In the limited case where a covered entity is unable to email the PHI as requested, such as in the case where diagnostic images are requested and email cannot accommodate the file size of the images, the covered entity should offer the individual alternative means of receiving the PHI, such as on portable media that can be mailed to the individual.
While covered entities are required by the Privacy and Security Rules to implement reasonable safeguards to protect PHI while in transit, individuals have a right to receive a copy of their PHI by unencrypted email if the individual requests access in this manner. In such cases, the covered entity must provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted email. If the individual says yes, the covered entity must comply with the request.
Whether an individual has a right to receive a copy of her PHI through other unsecure modes of transmission or transfer (assuming the individual requests the mode and accepts the risk) depends on the extent to which the mode of transmission or transfer is within the capabilities of the covered entity and the mode would not present an unacceptable level of risk to the security of the PHI on the covered entity’s systems (as explained above), based on the covered entity’s Security Rule risk analysis. For example, a covered entity’s risk analysis may provide that connecting an outside (foreign) device, such as a USB drive, directly to the entity’s systems presents an unacceptable level of risk to the PHI on the systems. In this case, the covered entity is not required to agree to an individual’s request to transfer the PHI in this manner, but the entity must offer some other means of providing electronic access to the PHI.
While an individual can receive copies of her PHI by unsecure methods, a covered entity is not permitted to require an individual to accept unsecure methods of transmission.
Is a practitioner liable if she complies with an individual’s access request to receive PHI in an unencrypted email and the information is intercepted while in transit?
No. While covered entities are responsible for adopting reasonable safeguards in implementing the individual’s request (e.g., correctly entering the email address), covered entities are not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission). This includes breach notification obligations and liability for disclosures that occur in transit. Further, covered entities are not responsible for safeguarding the information once delivered to the individual.
Covered entities are responsible for breach notification for unsecured transmissions and may be liable for impermissible disclosures of PHI that occur in all contexts except when fulfilling an individual’s right of access under 45 CFR 164.524 to receive his or her PHI or direct the PHI to a third party in an unsecure manner.
What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D.
However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required.
A covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Where the PHI that was breached is “secured” as provided for in the HHS Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (available at the HHS website here), the covered entity does not have reporting obligations under the Breach Notification Rule.