We were contacted recently by a newspaper reporter asking if there was a new rule that prohibited a health care provider from emailing a patient a copy of his or her health information. This is a battle that has been fought in the HIM community since the effective date of the HIPAA Security Rule and is, for us at least, nothing new. The two sides of this discussion are fairly well-defined. On the one side are the privacy advocates, who argue that patient control of PHI requires that patients control how that PHI is released to them. On the other side, and just as adamant, are the security advocates, who believe that, if a covered entity's risk assessment determines that it is reasonable to encrypt all e-mail transmissions, then this prohibits any unencrypted release even on a patient's request.
Disclosure of PHI to the patient is one of only two required disclosures under the Privacy Rule. 45 C.F.R. Section 164.502(a)(2)(i); 45 C.F.R. Section 164.524(a)(1). The provider may not inquire about the purpose of such disclosure and cannot limit the disclosure based on principles of the "minimum necessary." 45 C.F.R. Section 164.502(b)(2)(ii). In addition, the Privacy Rule clearly grants the patient the right to determine how his PHI will be disclosed to him (45 C.F.R. Section 164.524(c)(2)(i)), subject only to a restriction to access generally based on potential harm to the patient or others. 45 C.F.R. Section 164.524(a)(3)(i). This is in contrast to the patient's right only to request restrictions on use and disclosure, to which the covered entity need not agree. 45 C.F.R. Section 164.522. The covered entity must provide access to the patient's PHI in the form and format selected by the patient, unless the information is not "readily producible" in that form or format. 45 C.F.R. Section 164.524(c). And, although it is true that this concept has not yet been tested in the courts, we think that e-mailing a patient's record to himself upon his specific request would not rise to the level of physical impossibility, financial hardship, or systemic burden that would allow a covered entity to avoid doing so. In other words, a patient request to send records by e-mail would in all likelihood be deemed "readily producible."
The Security Rule, which governs activities related to electronic PHI (or "e-PHI"), states that the methods of protection of e-PHI in transit is "addressable" (as opposed to "required") by the covered entity based on its risk analysis. 45 C.F.R. Section 164.312(e)(1), (2)(ii). Because the standard is addressable, the covered entity has a significant amount of latitude to adopt measures creating compliance. For example, a covered entity can have one policy regarding transmission of e-PHI on a "closed" network (such as a facility local area network), and another policy on release of e-PHI on an "open" network (such as over the Internet or in e-mail). If this is so, then a covered entity should be able to adopt a policy that deals with mandated disclosures to patients under the Privacy Rule and another to everyone else. The quantifiable risk of wrongful disclosure to a patient (from whom a written authorization has been received) should be (and we think is) demonstrably lower than the routine use of e-mail to transmit billing batches to an insurer or laboratory results to a physician.
In short, we think there is no reason to adopt a "one size fits all" approach to e-mail security that eliminates the ability of a patient to receive his own PHI via e-mail. If we want patients to adopt an electronic personal health record ("PHR") containing the best and least edited information on their own health, we should find a way to facilitate their receipt of that information from providers in an electronic format.