Q&A: Sending PHI via email

Q. I work at an optometrist’s office. Is it acceptable to send eye prescription information via email?

A. Yes, as long as the email is encrypted. The prescription is PHI. The Office for Civil Rights (OCR) enforces the Security Rule’s addressable transmission encryption specification as if it were required and not simply addressable. HHS has gone as far as stating that encryption is a reasonable safeguard in the preamble to the HIPAA Clinical Laboratory Improvements Amendment rule, published February 6, 2014. However, there is an exception. If the patient insists that the email be sent unencrypted, covered entities (CE) are permitted to send the PHI unencrypted via email as long as the CE explains the risks of sending unencrypted PHI via email and the patient accepts the risks. If this is the case, it is recommended that the warning and patient acceptance be in writing in the event a breach does occur during transmission.

Editor’s note: This question was answered by Chris Apgar. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a Briefings on HIPAA editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.