HIPAA requires that covered entities (organizations who provide treatment to patients, bill insurance plans, or create protected health information (PHI)) must protect their PHI. This protection extends to sending and receiving PHI. Moreover, there are specific rules for how to send PHI to outside entities like other practices, insurance companies, and patients themselves.

First, lets define Protected Health Information.

That’s a pretty hefty list of uniquely identifying characteristics. Basically, if you can use a piece of information to single a person’s medical information out, all of the information becomes Protected Health Information

Sending PHI through email

The most common way to exchange information these days is via email. This will likely be the easiest way to get patient records over to other practices or to send a record to a patient who is requesting something. Consequently, it’s important to distinguish between standard email and encrypted email. Many practices assume that because their email system uses SSL or TLS encryption, it’s encrypted to HIPAA standards and they never give it another thought. Almost all email systems: Gmail, Hotmail, Yahoo, Godaddy, Microsoft Exchange, Outlook.com, AOL, etc. are encrypted with either SSL or TLS. This protects the information in the email being sent from being intercepted somewhere between the sender and the receiver. HIPAA says this is not enough.

HIPAA requires that when sending an email containing PHI, you accomplish 3 things:

To achieve all three of these goals, generally your practice will want to employ an email encryption service like Virtru or Hushmail. These services separate the file attachment (that you can use to send PHI) from the rest of the email so that PHI isn’t stored in non-secure ways. They make users on the receiving end of the email confirm their identity before allowing the file attachment to be viewed. And they allow the file attachment to be revoked at any time; either by setting an expiration date or by manually revoking access. Also, your practice will need  a Business Associate Agreement on file with any encryption service you decide to use. The encryption service has to prove they will be protecting your PHI while it is being transferred or stored on their systems.

Using a standard email account without a secure encrypted file attachment to send PHI is a violation of the HIPAA security and privacy rules. There is nothing to stop an unintended recipient from opening a sensitive attachment and there is no way to revoke access to the PHI after the email is sent.

As with all communications involving PHI, you should be logging any time you send or receive PHI. A patient has the right to know who you sent their PHI to. Your practice software likely has a place for you to log these PHI disclosures.

Sending PHI through the mail

When sending PHI through the mail, you must use certified mail or a similar service that requires a signature from the recipient. This is to ensure that any PHI makes it to its destination. If you don’t have a record of when the PHI was both sent and received, you can’t be sure who has the PHI if you were audited. And if a patient wanted a complete list of all entities that has access to their PHI, you couldn’t give them an accurate list without proper record keeping. With certified mail, you will have access to a signature of the person who received the letter and a date and time when they received it.

Using standard mail is not allowed because of the lack of tracking inherent to standard mail.

Face to face and phone conversations

Face to face conversations and phone calls are both common ways practices disclose PHI. All PHI disclosures should be tracked. Accordingly, you must keep a log if you gave out PHI via conversation or phone call. Again, the patient has a right to know who has access to their PHI. If you communicated PHI to another doctor for instance and now that doctor is aware of your patients medical information, your patient has the right to know that.

Faxing PHI

Faxing is considered a gray area as far as HIPAA is concerned. HIPAA recognizes that fax machines are sometimes the only way for one practice to quickly send information to another entity. Conversely, HIPAA is aware that fax technology is inherently insecure. Faxes can be intercepted via phone tap and generally fax machines just print out any fax that comes through and leaves it sitting in its tray for all to see. These problems are hard to overcome for most practices, nonetheless you can make some headway in securing your fax to eliminate many chances of a breach occurring.

The HIPAA security rule says that fax machines should be kept behind a locked door. This way non-employees cannot easily access any faxes that may have printed out, but not been picked up yet. And if your fax machine supports it, faxes should be stored in the fax machine’s memory until an authorized user signs in to the fax machine and prints them out.

I expect that as secure encrypted email becomes more prevalent, the HIPAA security rule will be updated to remove faxing from the list of approved methods to send PHI.

You should get in the practice now of avoiding faxes that contain PHI and only use this method as a last resort.