Rules For Sending And Receiving Protected Health Information (PHI)

HIPAA requires that covered entities (organizations who provide treatment to patients, bill insurance plans, or create protected health information (PHI)) must protect their PHI. This protection extends to sending and receiving PHI. Moreover, there are specific rules for how to send PHI to outside entities like other practices, insurance companies, and patients themselves.

First, lets define Protected Health Information.

  • Protected Health Information is medical information that contains any of the following uniquely identifying characteristics:
    • Names
    • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    • Phone numbers
    • Fax numbers
    • Email addresses
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Device identifiers and serial numbers
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) address numbers
    • Biometric identifiers, including finger and voice prints
    • Full face photographic images and any comparable images
    • Any other unique identifying number, characteristic, or code

That’s a pretty hefty list of uniquely identifying characteristics. Basically, if you can use a piece of information to single a person’s medical information out, all of the information becomes Protected Health Information

Sending PHI through email

The most common way to exchange information these days is via email. This will likely be the easiest way to get patient records over to other practices or to send a record to a patient who is requesting something. Consequently, it’s important to distinguish between standard email and encrypted email. Many practices assume that because their email system uses SSL or TLS encryption, it’s encrypted to HIPAA standards and they never give it another thought. Almost all email systems: Gmail, Hotmail, Yahoo, Godaddy, Microsoft Exchange,, AOL, etc. are encrypted with either SSL or TLS. This protects the information in the email being sent from being intercepted somewhere between the sender and the receiver. HIPAA says this is not enough.

HIPAA requires that when sending an email containing PHI, you accomplish 3 things:

  • Encrypt the PHI so that it can’t be intercepted by an unintended party.
  • Verify the identity of the receiving party before they can open the encrypted email attachment.
  • Have a way to revoke access to the encrypted attachment when it is no longer needed, or if it was sent in error.

To achieve all three of these goals, generally your practice will want to employ an email encryption service like Virtru or Hushmail. These services separate the file attachment (that you can use to send PHI) from the rest of the email so that PHI isn’t stored in non-secure ways. They make users on the receiving end of the email confirm their identity before allowing the file attachment to be viewed. And they allow the file attachment to be revoked at any time; either by setting an expiration date or by manually revoking access. Also, your practice will need  a Business Associate Agreement on file with any encryption service you decide to use. The encryption service has to prove they will be protecting your PHI while it is being transferred or stored on their systems.

Using a standard email account without a secure encrypted file attachment to send PHI is a violation of the HIPAA security and privacy rules. There is nothing to stop an unintended recipient from opening a sensitive attachment and there is no way to revoke access to the PHI after the email is sent.

As with all communications involving PHI, you should be logging any time you send or receive PHI. A patient has the right to know who you sent their PHI to. Your practice software likely has a place for you to log these PHI disclosures.

Sending PHI through the mail

When sending PHI through the mail, you must use certified mail or a similar service that requires a signature from the recipient. This is to ensure that any PHI makes it to its destination. If you don’t have a record of when the PHI was both sent and received, you can’t be sure who has the PHI if you were audited. And if a patient wanted a complete list of all entities that has access to their PHI, you couldn’t give them an accurate list without proper record keeping. With certified mail, you will have access to a signature of the person who received the letter and a date and time when they received it.

Using standard mail is not allowed because of the lack of tracking inherent to standard mail.

Face to face and phone conversations

Face to face conversations and phone calls are both common ways practices disclose PHI. All PHI disclosures should be tracked. Accordingly, you must keep a log if you gave out PHI via conversation or phone call. Again, the patient has a right to know who has access to their PHI. If you communicated PHI to another doctor for instance and now that doctor is aware of your patients medical information, your patient has the right to know that.

Faxing PHI

Faxing is considered a gray area as far as HIPAA is concerned. HIPAA recognizes that fax machines are sometimes the only way for one practice to quickly send information to another entity. Conversely, HIPAA is aware that fax technology is inherently insecure. Faxes can be intercepted via phone tap and generally fax machines just print out any fax that comes through and leaves it sitting in its tray for all to see. These problems are hard to overcome for most practices, nonetheless you can make some headway in securing your fax to eliminate many chances of a breach occurring.

The HIPAA security rule says that fax machines should be kept behind a locked door. This way non-employees cannot easily access any faxes that may have printed out, but not been picked up yet. And if your fax machine supports it, faxes should be stored in the fax machine’s memory until an authorized user signs in to the fax machine and prints them out.

I expect that as secure encrypted email becomes more prevalent, the HIPAA security rule will be updated to remove faxing from the list of approved methods to send PHI.

You should get in the practice now of avoiding faxes that contain PHI and only use this method as a last resort.