The U.S. Department of Health and Human Services (HHS) released an informational guide to help individuals understand their rights to access their protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The guide answers one of the most common questions we get from dentists about HIPAA compliance:
Must email correspondence to patients be encrypted?
According to HHS, patients have a right to receive a copy of their PHI by unencrypted email if they request access in this manner. In such cases, the covered entity must provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive the PHI by unencrypted email.
If the individual says yes, the covered entity must comply with the request; however, they must apply reasonable safeguards when doing so. For example, certain precautions need to be taken when using email to avoid unintentional disclosures of PHI, such as checking the email address for accuracy before sending, sending an email alert to the patient for address confirmation prior to sending the message, and/or limiting the amount or type of information disclosed through the unencrypted email.
If an inadvertent disclosure of PHI occurs during the email transmission to the patient, then the covered entity is not liable for the disclosure (assuming the patient was warned of and accepted the risks associated with the unsecure transmission). Further, covered entities are not responsible for safeguarding the information once delivered to the individual.
To view the entire guide, click here.
Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered dental continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.