Is Mailing Medical Records HIPAA Compliant?

Of all the methods of medical records release, none pass the records through more hands than shipping via delivery services. It is, of course, illegal for anybody but the recipient to tamper with mail. So is mail a safe method of medical records exchange?

Is mailing medical records HIPAA compliant?

HIPAA is a complicated set of rules designed to mitigate the risk of sharing protected health information like medical records. Part of the difficulty in understanding the regulations lies in their inherent flexibility. HHS designed HIPAA to fit healthcare organizations of all sizes. To accomplish this, they use vague language for variable guidelines.

With the incredibly steep penalties for HIPAA violations, it’s important to maintain a solid understanding of the rules and regulations. This is especially true when using outdated methods of medical records exchange like “snail” mail. 

Sending protected health information via physical mailing services can be compliant, but it can also cause major breaches. We will get into specific examples a bit later on in this article. First, we need to understand what constitutes a HIPAA breach and how breaches can be avoided. 

The exchange of paper records primarily falls under the umbrella of the Privacy Rule. This rule, as the name suggests, protects the privacy of patients during the release of their Personal Identifiable Information. 

To adhere to this rule, it’s essential to take incidental disclosure avoidance measures before releasing records. 

What are Incidental Disclosure Avoidance Measures?

The U.S. Department of Health and Human Services (HHS) defines incidental disclosure as “Secondary disclosure that cannot reasonably be prevented, is limited in nature, and occurs as a result of another, primary use or disclosure that is permitted by the HIPAA Privacy Rule.”

For example, imagine that you are visiting a small specialized practice with just a couple of healthcare providers. You sit in the waiting room until the front desk staff calls your name and leads you to your room. On your way into the back, you walk by a room in which a healthcare provider is treating a patient.

If you hear a doctor discussing health information with a patient in this room, this would be considered incidental disclosure. The doctor is discussing the patient’s health, which is considered primary use. It is limited to the information stated and the doctor has closed the door to provide the best privacy possible. 

The conversation between the doctor and the patient is permitted by the Privacy Rule. What you hear is considered incidental disclosure. Because there was no reasonable way to prevent this disclosure, it is also permitted by the Privacy Rule. 

If, however, the doctor had negligently left the door wide open and spoken loudly about the patient’s medical information, that would not be permissible. If the patient were to lodge a complaint, it would be clear that the provider could have prevented the disclosure by shutting the door

To be secure when releasing medical records via physical mail services, covered entities must take incidental disclosure avoidance measures seriously. Many HIPAA violations are caused by negligence, and steeper penalties await those who ignore their Privacy Rule responsibilities.

What mailing options are secure?

When mailing medical records to a patient, you’re placing a lot of trust in the delivery service you choose. Once you even print medical records, the chances of a breach increase. This risk increases the moment the package leaves your hands. 

It’s permissible to ship protected health information via the United States Postal Service, as well as some commercial services. These services include but are not limited to UPS, FedEx, and DHL. If your office is located near the patient’s home, do note that it’s illegal for anybody but USPS workers to place mail in somebody else’s mailbox. 

It’s difficult to estimate the percentage of mail lost by the USPS, but a commonly cited number is 3%. Poor performance reporting for most types of mail makes it more difficult to find the exact percentage of lost mail. 

USPS reported 129.2 billion packages delivered in 2020, a decline of 13.4 billion from 2019. For perspective, 3% of 129.2 billion is still about 3.9 billion packages that don’t reach their destination.

It is worth noting that larger packages are more likely to go missing due to generally rougher handling than envelopes. That’s not to say envelopes don’t get lost as well, however. Also, the USPS isn’t solely responsible for every piece of mail that goes missing.

Mail theft is an incredibly difficult problem to solve. The Postal Inspection Service reported a 600% increase in mail theft, from 25,000 in 2017 to 177,000 in 2020. Once a thief takes mail, there’s virtually no way to track them. 

Most likely, medical records sent via mail will reach their destination. Before sending them though, be aware of the inherent risks before, during, and after shipping.

What are the pros and cons of mailing PHI?

Mailing medical records and other sensitive patient information is definitely a valid option, but it’s one that’s hard to praise. More often than not, important mail will reach its destination intact. When trying to protect your patients’ personal and medical information, is most good enough?

Even if there was a 100% guarantee of your mail reaching its destination, there are other downsides of mailing records. While most methods have their flaws, it may be worth minimizing the amount of physical mail your practice needs to send. 

First, the cost of shipping with the USPS has been increasing recently. On August 29, 2021, a single stamp increased in price from 55 cents to 58 cents. This is a baseline increase of approximately 5.5% for every single letter that comes from your organization. While 3 cents may not sound like too much, it will surely add up during large mailing campaigns, billing cycles, medical records releases, etc. 

If you want to track important letters and packages, the costs have increased for that as well. It’s unrealistic to expect every healthcare professional to pay for tracking on every single piece of mail with PII. At least, not without significantly increasing the cost for requestors. 

It’s also worth considering the number of hands your mail will pass through in transit. The USPS has approximately 495 million employees in the United States, so it’s impossible to know who exactly will be handling your mail or how rough the journey will be. 

It will likely be slower than the alternative methods, however. Digital alternatives can be instantaneous, while a fast delivery is still a few days. Plus, the additional administrative efforts of printing, packaging, and shipping will further delay the records and burden your staff. 

What should you do if you’re expecting records via mail?

If you’re a patient who has requested medical records to be released via mail, stay on top of it. You should stay informed throughout the process so you know when to expect your records. This means some legwork will be necessary. 

First, as with all medical records exchange methods that don’t have built-in transparency throughout the fulfillment process, you should call regularly for status updates. HIPAA requires healthcare providers to respond to requests within 30 days, and some states have even shorter deadlines.

Unfortunately, healthcare providers can forget, lose, or delay requests due to other requests deemed “higher priority.” The average medical records request should involve about 7 phone calls for status updates, spaced out over the 30 days. This helps protect your request from avoidable delays.

Once you receive confirmation that the organization has mailed your records, they shouldn’t take long to reach you. This is especially true if you live near the practice and the records don’t have far to travel. 

It’s important to know the date the USPS received your records so you can estimate when they should arrive. Use your own judgment based on your experience with your local post office. Generally speaking, if you haven’t received your mail in a week, it may be worth notifying your healthcare provider. 

It may also be worth paying closer attention to your mailbox and noting average delivery times. The sooner you pick up your sensitive mail, the safer it will be. 

If you don’t want to put up with the risk and hassle of waiting on physical records, ChartRequest can help. Click here to learn about what we can do for you.

How do you release records via mail?

If you need to mail medical records, you should take every security precaution you can. Many of the cases of mailed documents causing HIPAA violations should have been avoidable. Stay diligent throughout the process.

First, start with the basics. Your team should verify that the patient signed a valid authorization. A valid form should include:

  1. Description of the requested information
  2. Name of the patient and/or requestor
  3. Name of the recipient
  4. Reason for the disclosure
  5. Expiration date or event
  6. Signature of the patient or representative with the date

Once this is verified, retrieve the records in accordance with the “Minimum Necessary” rule. This, simply put, means you should only be releasing the minimum records necessary to fulfill a request. Comb through the records and remove any irrelevant files.

Once you’ve collected the relevant records, double-check to make sure they are 100% accurate for the request. When you feel confident that you’ve fulfilled the request, be sure to double-check the mailing address on the envelope too.

Make sure the receiving address and return address are both clearly legible, especially the zip code. Next, simply take it to the post office and send it out. 

Be sure to keep a copy of the request on file in the case of an audit. It’s also important for your team to maintain a log to track when they release medical records. This can help both when requestors call for status updates and if the records are lost or stolen. 

To best understand what types of issues to look for when double-checking outgoing mail, let’s look at some examples of when mailing medical records has gone wrong.

Example(s) of mailed medical records causing a violation

Even the simplest oversight can lead to HIPAA breaches, and the hectic nature of the healthcare industry causes avoidable errors. When working with contracted mailing companies, you’re working with people who may not be aware of HIPAA security requirements. Proper inspection prior to shipping is important, as these next two stories will show.

First, let’s go back to the summer of 2017. Aetna, a leading health insurance company, compromised the medical privacy of approximately 12,000 individuals with HIV. This mistake cost them $17 million.

This mistake was completely avoidable, however. The letters were mailed in envelopes with clear plastic windows, and the name of the HIV medication was clearly visible. It’s unfortunate that HIV is stigmatized to such a degree, but the emotional ramifications of unintentional disclosure can be serious. 

Next, let’s look at a fundraising campaign run by the University of Michigan Medicine in 2018 that went wrong. The university used a third-party printing service to send mail to approximately 3700 individuals. This mail only contained the name, address, phone number, and email address. Unfortunately, this is enough for HHS to consider a breach.

The printing service messed up though, and they sent some of these letters to the wrong individuals. To protect against this type of error in the future, they began using windowed envelopes. This ends the need to match letters to envelopes but requires extra caution as evident in the previous example.

Mailing errors can affect anybody who mails PII covered by HIPAA. This demonstrates just how easy it is for major breaches to occur when mailing medical records. There is a better option, however.

ChartRequest is safer than mail

According to an ONC report titled “State of Interoperability among U.S. Non-federal Acute Care Hospitals in 2018,” approximately 7/10 healthcare professionals still used mail and fax for sending and receiving PHI and other sensitive information. ChartRequest is working hard to bring this number down by providing a quick, secure, and efficient electronic records exchange alternative.

Our streamlined release of information platform solves the issues that mailing medical records can cause. For example, once your team retrieves and verifies requested records, your requestor doesn’t have to wait an extra week. Rather, your team can release the digital records instantaneously.

The wait is further reduced for your requestors by the lighter workload your staff experiences when processing requests. If you choose our Self-Service model, your team can easily process more requests in less time with our platform. Our Full-Service partners can reduce their turnaround time even further to an average of approximately 2 days.

In addition to the reduced administrative burden, your team can also enjoy built-in protection from some common causes of HIPAA violations. Our double-QA process catches mistakes before they are released, and our automated audit log tracks every interaction with each request. If there is a breach, this helps determine the exact cause.

The largest fines for HIPAA violations often involve negligence, but it can be difficult to keep up with all the rules and regulations. Don’t fall victim to massive penalties for avoidable issues, let us help you stay compliant.

Leave the antiquated methods of medical records exchange in the past. Click here to learn more about our plans for healthcare professionals.