Paubox blog: HIPAA compliant email made easy

HITECH and patients rights to access records by email

Written by Kirsten Peremore | August 30, 2023

HITECH emphasizes patients' rights to access their health information electronically. This includes the right to request and receive copies of their medical records in electronic formats. This right extends to patients' access to these records by use of email communication.

.

HITECH and the right to access electronic formats 

To promote modernization and patient engagement, HITECH granted individuals the authority to request and receive copies of their medical records in electronic form. This groundbreaking provision allowed patients to interact with their health data more effectively. 

Under HITECH, covered entities must comply with these electronic requests, provided they maintain electronic health records and can readily produce them in the requested format. This right's impact plays a role in the subsequent Interoperability Rules, which amplify patients' control over their protected health information (PHI), enabling them to access it through applications of their preference.

 

How does this right apply to email?

The HITECH Act applies to email in the context of patients' ability to receive their health records electronically. Patients have the right to request their health information in electronic format, including through email, provided the covered entity maintains records electronically and can readily produce them in the requested format. 

This means that patients can choose to receive their health records via email, allowing for a more convenient and efficient way to access their medical information. However, note that while patients have the right to receive health information via email, covered entities must ensure that the transmission is secure and complies with the HIPAA Security Rule to protect the privacy and confidentiality of patient data. 

See also: The basics of HITECH and how it works with HIPAA

 

Ways that HITECH and HIPAA protect communication with patients

Consent and authorization

  • HITECH Act: Patients may need to provide consent or authorization to receive health records via email.
  • HIPAA: Covered entities must obtain patient authorization for certain uses and disclosures of ePHI, including email transmission.

 

Privacy and confidentiality

  • HITECH Act: Patients' privacy must be maintained when accessing health information electronically, including via email.
  • HIPAA: Covered entities are obligated to protect the privacy and confidentiality of patients' ePHI during email transmission, preventing unauthorized access.

 

Data breach notification

  • HITECH Act: Covered entities must report data breaches to affected individuals.
  • HIPAA: If a data breach involving ePHI occurs during email transmission, the covered entity must notify affected individuals and the HHS in accordance with the HIPAA Breach Notification Rule.

 

Interoperability and patient engagement

  • HITECH Act: Patients can access their health information via applications of their choice, enhancing patient engagement.
  • HIPAA: Covered entities must ensure that patients' rights to access health information electronically are upheld, even when using email as a communication method.

 

Methods of ensuring patient communication comply with HIPAA and HITECH

  1. Secure email communication: Use HIPAA compliant email platforms that encrypt emails containing PHI to prevent unauthorized access during transmission.
  2. Access control and authentication: Implement access controls to restrict unauthorized access to PHI, both within the organization's email system and on the recipient's end.
  3. Secure attachments: Use password protection for email attachments containing PHI and provide the password through a separate communication channel to enhance security.
  4. HIPAA compliant email services: Choose email service providers that offer HIPAA-compliant features, such as end-to-end encryption and data storage security, to ensure that the technology used aligns with regulatory requirements.
  5. Regular risk assessments: Conduct regular risk assessments to identify vulnerabilities and potential breaches in the email communication process. Take corrective actions to address any identified risks.

See also: Patient rights and HIPAA compliant email communication