Is Emailing Medical Records HIPAA Compliant?

There are plenty of ways to exchange protected health information, but is email one of them? It’s more complicated than a simple yes or no, there are several factors at play. With the high costs of HIPAA violations, it’s important to be absolutely sure that your organization is using email compliantly. 

Is email HIPAA compliant?

Determining HIPAA compliance for email, much like the other antiquated methods of medical records exchange, isn’t cut-and-dry. The Privacy Rule and Security Rule both impact the acceptable methods for releasing protected health information. 

Healthcare providers must “Implement a mechanism to encrypt electronic protected health information” or an equivalent data security measure. Unfortunately for healthcare providers, most email services lack the end-to-end encryption measures necessary to protect data shared via these services. 

Encryption, in the simplest terms, is when data is converted to code while being transmitted from sender to receiver. End-to-end encryption means that the data is encrypted on the computers and servers of both the sender and receiver. 

When hackers target emails, these are their four points of access. If data is not encrypted at any of these points, hackers can more easily gain access. When transmitting medical records, it’s much easier to ensure encryption on your own computer and server than the recipients’.

While Gmail does provide end-to-end encryption, this is only the case when both parties use Gmail. This helps prevent hackers from intercepting the emails in transit but does nothing against hackers that break into email accounts. 

Healthcare attorney Vinay Bhupathy advises against using email for the exchange of medical records for two primary reasons. First is the increased risk of data breaches, and second is the 2019 HHS enforcement discretion ruling. This increased HIPAA penalty caps based on the healthcare professional’s level of culpability following a breach.

The costs of developing and maintaining custom encryption solutions to make email a secure method of release can be astronomical. As stated by Bhupathy, “I frequently recommend clients look for plug and play solutions with reputable providers that can provide security at a reasonable cost.”

What makes HIPAA-compliant email solutions secure?

There is a wide number of HIPAA-compliant email encryption services available commercially for healthcare professionals. These are developed specifically in line with HIPAA regulations, especially the Security Rule. Let’s go over the key encryption standards that allow these specialized email services to share protected health information.

In order to access encrypted data, the user needs a special key. The industry-standard key for securing information is at least 128-bit encryption, but 256-bit encryption is common. This number refers to the number of characters the key contains.

A 256-bit encryption key has significantly more possible outcomes than a 128-bit, but they are both incredibly difficult to brute force with today’s technology. It’s so secure that Aesonlabs estimates it would take billions of years to crack 256-bit encryption with publicly accessible technology

Don’t let this scare you away from 128-bit encryption, which is also extremely powerful. RealVNC stated in an article about remote desktop encryption that “128-bit level of encryption has 2128 possible key combinations (340,282,366,920,938,463,463,374,607,431,768,211,456 – 39 digits long) and 256-bit AES encryption has 2256 possible key combinations (a number 78 digits long).”

The number of possible combinations is nearly unfathomable, but they’re not the only security in many cases. There are three main types of encryption, but two of these are very similar. AES is a symmetrical encryption standard that uses the same key for both encryption and decryption.

On the other hand, SSL and TLS encryption can create unique keys for each process, preventing this backdoor option. With no alternative to producing the 128- or 256-digit code to gain access to secured data, the data is theoretically impenetrable. 

What are the pros and cons of emailing PHI

Despite the clear risks, there are certainly reasons why people may want their medical records sent via email. It’s the responsibility of the healthcare provider to make sure people understand the risks that weigh against the benefits, however.

First, email is a quick and convenient way to exchange information. It’s easy for anybody to use, and it satisfies the desire for instant results. Once the sender clicks send, the information is available instantaneously.

Emails cannot be unsent, however. If the healthcare provider enters the wrong email address, there’s a chance that the wrong recipient will acquire the records. With over 1.8 billion active Gmail users as of 2020, there are long lists of email addresses that differ by only a few characters.

Next, emails can be filtered by keywords, which makes it easy to locate important information when needed. This is a double-edged sword however because this causes people to leave emails untouched for long periods of time. The longer they’re available on the server, the longer they’re at risk.

While email can be useful for exchanging small files, email size constraints limit the information that can be sent. Any file that exceeds size limitations will likely need to be sent via another method, further diversifying and complicating your release of information standards.

Finally, HIPAA compliance is never something that you want to leave to chance. The amount of money saved by taking shortcuts likely won’t even make a dent in the massive violation penalties. While email itself may be simple, the laws governing the secure exchange of protected health information are not.

How do you release records via email?

If you absolutely must release medical records via email, it’s important to take every precaution possible. Not only does this increase the chances that patient PHI remains secure, but also reduces your organization’s culpability in the event of a breach. This means lower monetary and civil penalties. 

Before sending a single medical record over email, find a trustworthy platform that fits your organization’s budget and needs. As mentioned above, there is no shortage of options designed specifically for HIPAA compliance.

Next, start with the basics of any request. Verify that the patient’s authorization form is signed and valid. A valid form should include:

  1. Description of the requested information
  2. Name of the patient and/or requestor
  3. Name of the recipient
  4. Reason for the disclosure
  5. Expiration date or event
  6. Signature of the patient or representative with the date

Once this is verified, retrieve the records in accordance with the “Minimum Necessary” rule. This, simply put, means you should only be releasing the minimum records necessary to fulfill a request. Comb through the records and remove any irrelevant information.

Once you’ve collected the relevant records, double-check to make sure they are 100% accurate for the request. When you feel confident that you’ve fulfilled the request, be sure to double-check the recipient’s email address.

Be sure to keep a copy of the request on file in the case of an audit. Your team should maintain a log to track when they release medical records. This can help when requestors call for status updates, especially if the records fail to arrive

To best understand what types of issues to look for when double-checking outgoing emails, let’s look at some examples of when emailing medical records has gone wrong.

Examples of emailed medical records causing violations

The 2020 Paubox HIPAA report found that 505 breaches were reported to HIPAA, nearly a 21% increase over the 418 reported breaches in 2019. Paubox found that 37% of the breaches in 2020 happened over email.

While transmission of emails can be secure with the encryption measures mentioned above, the email account is generally less safe. Without complicated, regularly updated passwords, it’s far easier for a hacker to brute force their way in. 

In 2019, a hacked email account caused a major breach that affected 78,000 cardiovascular patients. After a hacker breached the email of a National Cardiovascular Partners (NCP) staff member, a full month passed before anybody even noticed. 

They called in a cybersecurity team, and after another month determined that an excel file with the names, addresses, contact details, and other protected health information of 78,000 patients was breached. 

The organization insisted in their notification that the hacker was seeking to commit financial fraud rather than target patient information. Whether this is the case or not, it’s important to highlight the potential for damage in this situation. A treasure trove of information that could lead to the theft of thousands of identities was in the hands of a cybercriminal.

Next, between April 28 and May 4, 2021, People Incorporated Mental Health Services in Minnesota had an email data breach when a hacker gained access to employee email accounts. These accounts held data that exposed protected health information of about 27,500 patients. 

This information included names, dates of birth, addresses, treatment information, and more. For some patients, this data also included Social Security numbers, financial account information, driver’s licenses, and more.

It’s not easy for hackers to access this information even via email, but it’s certainly easier than modernized alternatives.

ChartRequest is a safer alternative

ChartRequest doesn’t just seek to comply with HIPAA regulations, we strive to provide the safest platform on the market. When your team uses our platform, you can rest assured that your requestor’s protected health information is secure.

Our best-in-class security infrastructure uses 128 to 256-bit SSL end-to-end encryption to protect user information. Additionally, we utilize several advanced security measures to prevent attacks from all angles. Among these include:

  • Redundant firewall protection, 
  • Redundant web application protection
  • DoS and DDoS mitigation
  • Monitored intrusion detection
  • VPN/SSL and multi-factor authentication for server management
  • Protection against MITM attacks, IP spoofing, Port Scanning, and Packet Sniffing

Combined, these security measures ensure that hackers have no chance of breaking in and breaching medical records. In addition to helping your organization simplify HIPAA compliance, ChartRequest prevents many of the violation pitfalls of email.

For example, when the individual supplying the authorization creates a request, they’re essentially creating a centralized hub for their request. In this hub, your team can communicate via provider chat and fulfill requests without verifying an email address. There’s no risk of the wrong individual receiving medical records due to a typo.

Not only are requests easier to fulfill for your team, but they’re also easy for requestors to create. After navigating to our app via the ChartRequest button on your website, your patients can follow our streamlined workflow to create their requests in just minutes. 

There are countless other reasons why ChartRequest is a better option for medical records exchange and care coordination. The best reason? We can help your organization save money. Click here to try our cost savings calculator, and see just how much you can save with ChartRequest.