HIPAA Compliance: Data By Email

Today we’re going to take a look at two particular rights you have as a patient when requesting your personal records from a medical institution. I’m going to copy and paste them directly from my colleague Deven McGraw’s blog post outlining patient health data rights under HIPAA:

  1. You have the right to an electronic copy of any information that is maintained electronically (such as in an electronic medical records) — and you even have the right to have paper copies scanned into an electronic format (such as PDF) if the institution or organization has scanning capabilities.

  2. You have the right to get your health information sent to you by email — even if your email isn’t secure, as long as you acknowledge that you are comfortable with receiving your health information this way.

In short: all hospitals today should be able to send you your health information via email. Hospitals still communicate medical information - both with patients and with doctors and other hospitals - by fax; most likely use electronic, cloud-based fax services, which also offer e-mail as an option. Hospitals who have this capability must deploy it to send records to a patient if that’s consistent with the patient’s request.

Continuing with our comparison of the statistics quoted in Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records, let’s take a look at what that team uncovered in terms of compliance with these two rights:

  • All hospitals stated in telephone calls and on the forms that they could release information via mail.

  • Hospitals unable to provide records by fax stated that they could fax records  - but only to physicians.

  • Two hospitals reported not being able to release records electronically if the records were originally in a paper format.

Regular mail compliance not a problem, and—if you’re lucky—you might potentially get your data via fax, but what about our HIPAA right as patients to have our data sent via email? Of the 83 hospitals surveyed as part of the study, here’s a look at the breakdown of options provided (so long as you could get them on the phone, as the options offered on the form were far worse):

  • 69 of them offered in-person pick up

  • 55 would provide the information via CD-ROM

  • Yet, only 39 out of 83 hospitals (47%) were able to email patient records upon request.

That means roughly half of the hospitals in the Yale report are likely non-compliant with HIPAA regulations allowing patients to have their health record sent to them via email. Our numbers were surprisingly a bit better at Ciitizen.

  • 68% of the institutions we’ve worked with on behalf of patients were able to provide the data digitally via email, yet that still means roughly a third of the hospitals did not.

  • 16% could only provide digital records via CD-ROM (sent via mail) and another 16% only allowed for paper records.

  • And while 68% were willing to use e-mail, that willingness occurred only after escalating the request to a supervisor or someone in the hospital’s HIPAA compliance office.

Of course, we already know that simply getting access to your medical records in ANY format already requires multiple phone calls, most of which require escalations up the food chain to privacy officers. It should therefore come as no surprise to find so many institutions out of HIPAA compliance with other aspects of their data release procedures as well.

-Nasha Fitter