HIPAA applies to “covered entities” which include health care practitioners, health plans and health care clearing houses. Since 2013, HIPAA also directly applies to the “Business Associates” of “covered entities.”
One of the most misunderstood concepts relate to practitioner use of paper versus electronic records. Practitioners who do not use electronic patient records often declare themselves free of HIPAA requirements. Even if true, other laws would impose the same standards that HIPAA imposes so it is often a foolish excercise.
First, avoiding electronic health records is not the same as avoiding the regulatory definition that would require a practitioner to avoid “certain transactions in electonic form. The term is broadly defined to include electronic billing, electronic verification of health plan coverage, benefit and eligibility questions, and other electronic communications about treatment and payment for care.
Here is an HHS chart to help you decide if you are a covered entity.
If the practitioner has engaged in any covered electronic transactions then the rules apply to both paper and electronic records.
Other state, federal, and local laws govern health information privacy and would apply even in the absence of a HIPAA standard.
Yes, when you distribute your Notice of Privacy Practices, the Notice should reflect your policies and procedures. If you have none then you are telling patients about something you don’t have. The work might be difficult; but, the fine will be worse.
No. A covered entity may not withhold or deny an individual access to her PHI on the grounds that the individual has not paid the bill for health care services the covered entity provided to the individual.
Yes. If requested by an individual, a covered entity must transmit an individual’s PHI directly to another person or entity designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524(c)(3)(ii). A covered entity may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.
The same requirements for providing the PHI to the individual, such as the timeliness requirements, fee limitations, prohibition on imposing unreasonable measures, and form and format requirements, apply when an individual directs that the PHI be sent to another person or entity.
For example, just as when the individual requests a copy for herself, a covered entity cannot require that an individual travel to the covered entity’s physical location to request the individual’s PHI be sent to a person or entity designated by the individual.
The individual can also designate the form and format of the PHI and how the PHI is to be sent to the third party, and the covered entity must provide access in the requested form and format and manner if the PHI is “readily producible” in such a way. Whether PHI is “readily producible” depends on the capabilities of the covered entity and whether transmission or transfer of the PHI in the requested manner would present an unacceptable level of security risk to the PHI on the covered entity’s systems (based on the covered entity’s Security Rule risk analysis).
The following are just a few examples of how these provisions apply:
- A patient requests in writing that the hospital where she recently underwent a surgical procedure use its Certified EHR Technology (CEHRT) to send her discharge summary to her primary care physician, or to her own personal health record, and she supplies the corresponding Direct address (an electronic address for securely exchanging health information using the Direct technical standard).
- A patient sends a written request to his long-time physician asking the physician to download a copy of the PHI from his electronic medical record, and e-mail it in encrypted form to XYZ Research Institution, at [email protected], so XYZ Research Institution can use his health information for research purposes.
- A patient requests in writing that her ob-gyn digitally transmit records of her latest pre-natal visit to a new pregnancy self-care app that she has on her mobile phone. The ob-gyn’s EHR has the ready capability to establish the connection in a manner that does not present an unacceptable level of security risk to the PHI in the EHR or other of the ob-gyn’s systems, based on the ob-gyn’s Security Rule risk analysis.
In each of these three examples, the covered entity has the capability to transfer the PHI in the requested manner and doing so would not present an unacceptable level of security risk to the PHI in the covered entity’s systems. Thus, after receiving the patient’s written request, the covered entity has 30 days (or 60 days if an extension is applicable) to send the PHI to the designated recipient as directed by the individual. However, in most cases, it is expected that the use of technology will enable the covered entity to fulfill the individual’s request in far fewer than 30 days.
Yes, the Privacy Rule allows covered practitioners to communicate electronically, such as through email, with their patients, provided they use reasonable safeguards. See 45 C.F.R. § 164.530(c).
You must take steps to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message. While the Privacy Rule does not prohibit the use of unencrypted email, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email. In addition, practitioners will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Remember too that an individual has the right to request and have a practitioner communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a practitioner should accommodate a patient’s request to receive appointment reminders via email, rather than on a postcard, if email is a reasonable, alternative means for that practitioner to communicate with the patient. However, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, the practitioner should offer more secure electronic methods, mail or telephone.
Patients may initiate communications with a practitioner using email. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the practitioner can alert the patient of those risks, and let the patient decide whether to continue email communications.
Remember, the patient has the right to privacy and the practitioner has an obligation to protect that privacy. Just because a patient uses poorly secured methods of communication does not absolve the practitioner of responsibilities under HIPAA and state laws. When in doubt, obtain the patient’s signed consent to use the patient’s preferred means of communication such as public, unencrypted email accounts. Practitioners should not initiate unsecure email without prior notice and consent to the patient.
You can have your information technology person or other email “guru” review this NIST technical document on Email security.
Covered entities may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient.
However, covered entities must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity’s system.
For example, while a covered entity is not required to confirm that the individual provided the correct Email address of the third party, the covered entity is required to have reasonable procedures to ensure that it correctly enters the provided Email address into the covered entity’s system.
In addition, covered entities must safeguard the information in transit and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit. The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted Email or in another unsecure manner, which the individual has a right to request. As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.
The covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Yes, they can demand electronic copies such as PDFs. As long as the PHI is “readily producible” in the manner requested and the covered entity has the capability to providing the information in the manner requested.
Individuals generally have a right to receive copies of their PHI email even though there may be security risks to the PHI once it has left the covered entity’s systems. A covered entity may not require that an individual travel to the covered entity’s physical location to pick up a copy of her PHI if the individual requests the copy be mailed or emailed. In the limited case where a covered entity is unable to email the PHI as requested, such as in the case where diagnostic images are requested and email cannot accommodate the file size of the images, the covered entity should offer the individual alternative means of receiving the PHI, such as on portable media that can be mailed to the individual.
While covered entities are required by the Privacy and Security Rules to implement reasonable safeguards to protect PHI while in transit, individuals have a right to receive a copy of their PHI by unencrypted email if the individual requests access in this manner. In such cases, the covered entity must provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted email. If the individual says yes, the covered entity must comply with the request.
Whether an individual has a right to receive a copy of her PHI through other unsecure modes of transmission or transfer (assuming the individual requests the mode and accepts the risk) depends on the extent to which the mode of transmission or transfer is within the capabilities of the covered entity and the mode would not present an unacceptable level of risk to the security of the PHI on the covered entity’s systems (as explained above), based on the covered entity’s Security Rule risk analysis. For example, a covered entity’s risk analysis may provide that connecting an outside (foreign) device, such as a USB drive, directly to the entity’s systems presents an unacceptable level of risk to the PHI on the systems. In this case, the covered entity is not required to agree to an individual’s request to transfer the PHI in this manner, but the entity must offer some other means of providing electronic access to the PHI.
While an individual can receive copies of her PHI by unsecure methods, a covered entity is not permitted to require an individual to accept unsecure methods of transmission.
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D.
However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required.
A covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.
Where the PHI that was breached is “secured” as provided for in the HHS Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (available at the HHS website here), the covered entity does not have reporting obligations under the Breach Notification Rule.