Even people who are pretty sophisticated about the healthcare system – and know their rights under HIPAA – face obstacles in getting copies of their health information.
On Friday, my friend Arien Malec, who has decades of experience in healthcare and life sciences and currently advises the HHS Office of the National Coordinator for Health IT (ONC) as a member of the Health Information Technology Advisory Committee, tweeted this:
Do individuals have the right under HIPAA to get copies of their health information sent to them by e-mail if that’s how they want to receive it? Yes, they do.
Under the Privacy Rule, individuals have the right to access their health information in the form or format they request, as long as it is readily producible in that form/format (45 CFR 164.524(c)(2)(i). In guidance, the HHS Office for Civil Rights (OCR) clarified that this right extends to the way the information is delivered to the individual – and OCR has specifically stated in guidance that individuals have a right to receive copies of their PHI by email if they want it this way.
While ordinarily entities covered by HIPAA – doctors, hospitals, and health plans, for example – must send health information securely (such as by using encryption), individuals have the right to get their records by unencrypted email if they ask for it that way. The only obligation of the entity is to “provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted email.” If the individual says yes, “the covered entity MUST comply with the request” (emphasis added).
OCR recognized that entities might be concerned about potentially being held responsible for records sent securely to individuals, so the agency issued even more guidance on this topic, in order to be clear that individuals have the right to get information by unsecure email if that is their choice. Specifically, OCR’s guidance provides that entities are “not responsible for a disclosure of PHI [protected health information] while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission).”
And an individual also has the right to have their health information sent by unsecure e-mail directly to a third party designee – such as a personal health record service (like Ciitizen), or to a friend or family member, or even to another health care professional or institution.
Seems pretty clear to me that refusing to honor an individual’s request to get their health information sent by email would be a violation of the HIPAA Privacy Rule.
What about individuals who want to receive their information in a way that is secure? OCR covered that as well. The guidance states that while individuals have the right to receive their health information by unsecure methods, an entity “is not permitted to require an individual to accept unsecure methods of transmission in order to receive copies of her health information.”
Arien Malec is not the only individual who has confronted obstacles in trying to get health information by email. We’ll talk about our experience in trying to help our Ciitizen users get health information via email in our Thursday blog post.