Q&A: Sending patient PHI without signed authorization form

Q: If a patient is requesting his medical records via email, so long as our email is encrypted and secure, can we send it? We don’t have written authorization confirming this person is the actual person. We only have his email on his admission papers, which matches the email address he sent to us.

A: It would be reasonable to ask the patient to provide a signed authorization form asking that you release his records to him via a specific email address. That would allow you to compare the patient’s signature with another document he signed during the registration process, so you can confirm that he is the legitimate owner of that email address.

Faxing is still a day-to-day part of medical records operations with us. What are some strategies for sending secure faxes?

Here are some strategies for protecting PHI sent via fax:

• Preprogram frequently used fax numbers to reduce the possibility of misdirected faxes from incorrectly entered numbers.
• Limit the amount of information faxed to the mini-mum necessary. If more information is needed, it should be sent by mail or a delivery service.
• Use a fax cover sheet that clearly identifies your organization, designates the information as confidential, and asks for the return of any misdirected information.

Editor's note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.