Is Emailing Medical Records HIPAA Compliant?

The short answer is not really. Here’s the long answer regarding HIPAA email laws.

For a healthcare provider, one of the biggest headaches in HIPAA compliance is sending private medical documents to external parties who are entitled to receive them. Personal injury law firms often request bills and records for a patient in order to pursue their legal case, leaving providers to find a HIPAA-compliant way to transmit these documents.  A common question is whether emailing documents through a standard email service like Gmail or AOL is in keeping with the data encryption standards outlined in HIPAA’s Security Rule. Read on as we answer the long-awaited question: is it a HIPAA violation to email medical records?

HIPAA Email Compliance & Electronic Communication Regarding Patient Data

So, what is the HIPAA privacy rule regarding data information? When transmitting medical documents, records, and patient information, every healthcare provider is required to “implement a mechanism to encrypt electronic protected health information” or install an equivalent measure of data security. This is sometimes misinterpreted as simply requiring password protection on email accounts. So is it possible to share a HIPAA compliant email from an account without encrypted details?

Prominent HIPAA healthcare attorney Vinay Bhupathy of Sheppard Mullin:

“I advise my medical provider clients not to use the standard GMAIL, AOL, or other non-encrypted email services to send patients health records. This is due to two main reasons: (i) increased risks of data breaches due to hacking, phishing, and related digital attacks; and (ii) the 2019 enforcement discretion ruling from Use Department of Health and Human Services which has increasing caps on penalties for providers for violation of HIPAA based on the level of culpability. Due to the substantial development and maintenance costs which can be associated with custom encryption solutions, I frequently recommend clients look for plug and play solutions with reputable providers that can provide security at a reasonable cost. ”

What is End-to-End Encryption?

Encryption is the process of converting a message into code so that hackers cannot steal it while it travels from your email provider’s domain through the intraweb to the recipient.

When you send a document via email, there are four locations for a hacker to intercept it: your computer, the recipient’s computer, your email server, and the recipient’s email server. Making sure that the contents of the email communication are encrypted at each stage is called end-to-end encryption.

While Gmail encrypts your emails while they are on your computer or server, that encryption does not extend to the recipient’s computer or server unless they are also using a Gmail account. That means you may be exposing your documents to a security vulnerability if you send documents through Gmail.

‍How to Avoid a HIPAA Violation

So, can medical records be emailed while still adhering to HIPAA rules? The answer is a complicated one as HIPAA security rules are implemented to protect patient data and health information.

Remember:

• Attaching your patient’s medical documents to an unencrypted  email and sending it to a law firm very well may be a HIPAA violation.

As a result, there are several options to adhere to HIPAA security laws avoid this:

Secure Message Portals

You may have heard of patient portals, which allow for secure messaging and transmission of documents between the healthcare provider and patients through a secure cloud-based browser application.

Law firm portals (LFPs) perform a similar function, allowing providers to store documents in a secure location that is also accessible to the personal injury law firm representing their patient - as long as that firm is authorized by the patient to receive it.

LFPs ensure HIPAA compliance through end-to-end encryption and a number of additional security measures. Law firms often prefer portals to the options below since portals can be organized and tailored to meet the firm’s needs.

Shameless plug: Mighty.com offers the only law firm portal software to a healthcare provider that wants their own portal but doesn’t have the time or resources to build it themselves.

End-to-End Email Encryption Services

If you want to share documents via email communication exclusively, you need to use encrypted email services that provide end-to-end encryption for every message you send, such as Zixmail, for HIPAA email compliance. If the recipient does not use the same encryption service,  they will be required to connect to a secure server before they can retrieve the message. Services like these require little setup, but also are cumbersome and require a lot of work for each email that’s sent.

Cloud-Based Email Servers

One other alternative is to use a cloud-based HIPAA-compliant email server such as the one offered by Office365.  By connecting to the server via an encrypted connection, you can send documents to a law firm without exposing your documents to a potential cyberattack.

While this is an option for HIPAA compliance, it is not recommended as it requires the recipient to have an account on the same cloud-based email service. If you have multiple law firms that you work with, that may be an unrealistic expectation.