Can patients request unsecured communication of PHI?

HIPAA provisions ensure that individuals can select their preferred communication method, balancing their convenience with the security of their PHI. This extends to even insecure methods of communication that do not meet the healthcare organizations' security standards.

Can patients choose communication methods with providers?

HIPAA's Privacy Rule places a significant emphasis on respecting and accommodating an individual's preferences when it comes to the form of communication for their healthcare information. Patients have the right to choose whether they receive their medical records and protected health information (PHI) in a paper or electronic format, allowing them to opt for what aligns best with their needs and preferences.

This flexibility extends to how patients wish to be contacted regarding their health information, whether through traditional mail, HIPAA compliant email, or another convenient and secure method. Individuals have the autonomy to tailor the way they access their health records.

HIPAA's Right of Access

Individuals have the privilege of accessing and acquiring copies of their medical records and PHI held by healthcare organizations. This entitlement empowers people to review their medical data, rectify errors, and actively participate in healthcare decisions. Access to these records helps patients comprehend their medical history, make informed choices about their health, and communicate necessary details with other healthcare providers.

To exercise this right, patients typically need to send a written request to the healthcare provider or organization that keeps their records. The healthcare entity should respond promptly and charge a reasonable fee for providing the copies. While there might be exceptions and limitations, like psychotherapy notes or information tied to legal proceedings, this right fosters transparency and encourages patients to engage in their healthcare.

In the news: UnitedHealthcare settles with HHS over right of access violation

Can a patient request an unsecured method of communication?

Yes, a patient can request an unsecured method of communicating their PHI under HIPAA. HIPAA respects the individual's right to choose how they receive their PHI, even if the requested mode of communication is unsecure. However, healthcare providers must evaluate the security risks involved in the requested method and offer alternatives if necessary. 

Patients can, for instance, opt for unencrypted email transmission, acknowledging the potential security risks, as long as they are informed of these risks and still wish to proceed. Ultimately, this provision ensures that patients have the autonomy to select their preferred communication method while considering their own comfort and convenience.

Can a healthcare provider reject a patient request if the communication method is unsecure?

A healthcare provider may reject a patient's request for their preferred unsecured method of communication under certain circumstances, particularly if the requested mode poses unacceptable security risks to the patient's PHI within the provider's systems. However, HIPAA recognizes a patient's right to choose their communication method, even if it's unsecure, and healthcare providers should strive to accommodate these preferences. If the provider declines the requested method, they are generally obligated to offer alternative ways to provide access to the PHI securely.

Secure communication options to recommend to patients

1. Encrypted email: Use email services that offer encryption to protect the confidentiality of messages.
2. HIPAA compliant messaging apps: Utilize secure messaging applications designed for healthcare communication, which offer secure encryption.
3. Password-protected documents: Share password-protected files containing health information, ensuring the password is shared securely.
4. Certified mail: Opt for traditional mail services with certified or tracked delivery for physical documents.
5. In-person pickup: Choose to collect physical copies of health records in person from the healthcare provider's office.

See also: Understanding the Individual Choice Principle and HIPAA