Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.
Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.
Because encryption can be expensive and technically difficult to implement, HIPAA does include an exception of sorts. You may hear the encryption requirements and certain other HIPAA security requirements referred to as “addressable” — that designation means the requirements can be treated as optional if the following “exception” applies.
Before it can decide not to encrypt electronic transmissions of PHI, a HIPAA-covered entity must engage in a feasibility analysis. The analysis must consider each of the following factors:
- Size, complexity and capabilities of the covered entity
- Covered entity’s technical infrastructure, hardware and software security capabilities
- Costs of security measures
- Probability and criticality of potential risks to electronic PHI
If encryption proves to be too expensive and difficult in comparison to the covered entity’s size and capabilities and seems to add little value to the overall security of PHI, then HIPAA allows the covered entity to forego encryption. HIPAA requires, however, that the covered entity implement an equivalent, alternative security measure if it is “reasonable and appropriate” to do so (as determined using the same analysis described above), which invites covered entities to evaluate several options to determine which is the most appropriate. In all cases, the covered entity must document its analysis and decisions.
One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.
Other solutions besides encrypted email may be more prudent when patients request copies of their records. For example, physician practices that maintain patient portals are able to provide patients with access to records and (often) communications through a secure website. Another alternative is to ask patients to come by and pick up a copy of their electronic health record on a password-protected CD. It’s also appropriate to check some form of ID when patients arrive to pick up the records. Share the password with them only after verifying their identity.
For patients who simply insist on receiving email, if that email cannot be encrypted then a health care provider may be left with two unappealing choices. Choice one is to refuse, in which case patients may rightly insist that the provider has not respected their right (guaranteed by the HITECH Act) to receive a copy of their electronic health records. Choice two is to fulfill the request, send the unencrypted email, and risk violating the HIPAA Security Rule. We think the better choice is to send the email, but only after the health care provider engages in the required feasibility analysis and documents the outcome as described above to help ensure Security Rule compliance. It’s also a good idea to advise patients of the potential risks and insecure nature of email, and then ask again if they really want the record sent in that manner. To be clear, however, the patients’ informed consent to the insecure nature of email does not alleviate the provider’s requirement to engage in the feasibility analysis.
If unencrypted email is still the choice of both the provider and the patient, then as a precautionary move health care providers should consider sending records via email by appending a password-protected file. Once sent, the provider can call the patient to share the password by phone. That follow-up phone call facilitates two things: first, the provider can confirm that the patient actually received the email; and second, the password is not disclosed until the patient has received the records. If the email is accidentally sent to the wrong place, the recipient is less likely to be able to open the file and view health information without the password. Although taking these measures will not meet HIPAA’s encryption requirement (providers seeking an exception still have to do the feasibility analysis), they do minimize the likelihood of an inadvertent disclosure that could anger patients and lead to a HIPAA complaint.