2 min read

HITECH and patients rights to access records by email

Picture of Kirsten Peremore Kirsten Peremore August 29, 2023

HIPAA compliance Patient privacy
Healthcare provider showing patient medical records on laptop in bed

HITECH emphasizes patients' rights to access their health information electronically. This includes the right to request and receive copies of their medical records in electronic formats. This right extends to patients' access to these records by use of email communication.

.

HITECH and the right to access electronic formats 

To promote modernization and patient engagement, HITECH granted individuals the authority to request and receive copies of their medical records in electronic form. This groundbreaking provision allowed patients to interact with their health data more effectively. 

Under HITECH, covered entities must comply with these electronic requests, provided they maintain electronic health records and can readily produce them in the requested format. This right's impact plays a role in the subsequent Interoperability Rules, which amplify patients' control over their protected health information (PHI), enabling them to access it through applications of their preference.

 

How does this right apply to email?

The HITECH Act applies to email in the context of patients' ability to receive their health records electronically. Patients have the right to request their health information in electronic format, including through email, provided the covered entity maintains records electronically and can readily produce them in the requested format. 

This means that patients can choose to receive their health records via email, allowing for a more convenient and efficient way to access their medical information. However, note that while patients have the right to receive health information via email, covered entities must ensure that the transmission is secure and complies with the HIPAA Security Rule to protect the privacy and confidentiality of patient data. 

See also: The basics of HITECH and how it works with HIPAA

 

Ways that HITECH and HIPAA protect communication with patients

Consent and authorization

  • HITECH Act: Patients may need to provide consent or authorization to receive health records via email.
  • HIPAA: Covered entities must obtain patient authorization for certain uses and disclosures of ePHI, including email transmission.

 

Privacy and confidentiality

  • HITECH Act: Patients' privacy must be maintained when accessing health information electronically, including via email.
  • HIPAA: Covered entities are obligated to protect the privacy and confidentiality of patients' ePHI during email transmission, preventing unauthorized access.

 

Data breach notification

  • HITECH Act: Covered entities must report data breaches to affected individuals.
  • HIPAA: If a data breach involving ePHI occurs during email transmission, the covered entity must notify affected individuals and the HHS in accordance with the HIPAA Breach Notification Rule.

 

Interoperability and patient engagement

  • HITECH Act: Patients can access their health information via applications of their choice, enhancing patient engagement.
  • HIPAA: Covered entities must ensure that patients' rights to access health information electronically are upheld, even when using email as a communication method.

 

Methods of ensuring patient communication comply with HIPAA and HITECH

  1. Secure email communication: Use HIPAA compliant email platforms that encrypt emails containing PHI to prevent unauthorized access during transmission.
  2. Access control and authentication: Implement access controls to restrict unauthorized access to PHI, both within the organization's email system and on the recipient's end.
  3. Secure attachments: Use password protection for email attachments containing PHI and provide the password through a separate communication channel to enhance security.
  4. HIPAA compliant email services: Choose email service providers that offer HIPAA-compliant features, such as end-to-end encryption and data storage security, to ensure that the technology used aligns with regulatory requirements.
  5. Regular risk assessments: Conduct regular risk assessments to identify vulnerabilities and potential breaches in the email communication process. Take corrective actions to address any identified risks.

See also: Patient rights and HIPAA compliant email communication
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Image of fire in a forest.

HIPAA compliant messaging in disaster response and emergency medicine

Picture of Farah Amod Farah Amod : February 28, 2025

Clear and secure communication in disaster response and emergency medicine can save lives. During natural disasters, mass casualty incidents, and...

HIPAA compliance Patient privacy
Read More
medical symbol on document

Why employers cannot freely access employee health plan data

Picture of Mara Ellis Mara Ellis : May 13, 2026

HIPAA sets a sharp privacy boundary between the employer and the health plan, so employers cannot simply walk in and access employee health...

HIPAA compliance Patient privacy
Read More
Healthcare provider holding a smartphone

Who is responsible for HIPAA compliant patient follow-ups?

Caitlin Anthoney : April 29, 2024

Provider organizations should determine who conducts the HIPAA compliant patient email or text follow-ups based on the provider’s skill set and the...

HIPAA compliance Patient privacy
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.