Emailing medical records and staying HIPAA compliant can be a real hassle for healthcare providers.
Why? Well, it doesn’t help that what is okay and what isn’t okay when sending health information aren’t that clear.
It’s technically okay to send medical records through email. But if you aren’t also taking additional steps, you could actually be violating HIPAA regulations—which could you put at risk for legal trouble if documents are lost, stolen or unlawfully accessed.
Here’s why emailing medical records is probably not the best solution, plus some as alternative options you can use to protect your client’s data.
Is Emailing Medical Records HIPAA Compliant?
Emailing medical records is technically HIPAA compliant. However, those emails must be end-to-end encrypted, and popular email servers like Gmail and Yahoo Mail don’t provide the necessary encryption tools to meet HIPAA regulations. [1]
This means you need an additional plugin or encryption tool to protect the emails properly. The good ones cost money, and can be tricky to use.
And to put it bluntly, it’s riskier than you think to send medical records through email without additional security features.
A 2009 study conducted by the Department of Human Health Services (HHS) found that over 100 health organizations had their information stolen due to leaked or stolen emails. [2]
What Is HIPAA Compliance?
HIPAA compliance means that you adhere to the HIPAA (Health Insurance Portability and Accountability Act of 1996) when sending or receiving a person’s health records.
As a healthcare provider or small business owner, you need to especially understand the HIPAA Privacy Rule and HIPAA Security Rule. [3]
These state that health institutions must protect patient health information and adhere to national standards when sending files to authorized third parties.
In the case of online file sharing, HIPAA is pretty clear: emailing medical records is fine, so long as your emails are encrypted.
If you choose not to use end-to-end encryption, you should use a suitable alternative that protects client data just as well. (At the moment, end-to-end encryption is probably your best bet, even though it can be difficult to set up and use.)
If you don’t adhere to either of these standards and a client’s information gets leaked, HIPAA regulations state that you could be fired, terminated from your job, face sanctions from professional boards or even face criminal charges like fines or imprisonment. [4]
What Is End-To-End Encryption?
End-to-end encryption (E2EE) is the act of encrypting documents so third parties can’t gain access. Only the parties sending and receiving the information can decrypt them.
This system was designed to prevent hackers, telecom providers and Internet providers from gaining unlawful access to information.
When an email (or a text message for that matter) isn’t encrypted, it typically passes through a third party, often the host of the messaging system, where it is then redirected and sent to the intended recipient.
This means that whoever is helping you send the information could potentially also access it without you knowing—which poses an obvious threat to the safety of patient medical records.
Why You Shouldn’t Email Medical Records
Here are some additional reasons why emailing medical records isn’t safe:
- Although popular email providers like Gmail offer some encryption abilities, they’re truly not end to end. Most often, you can only encrypt an email if it’s sent to a party with the same host (i.e. @gmail.com).
- You’re legally not allowed to include the patient’s names in the header, which can make it harder to find emails when searching for them. (You’re probably already wasting more time on administrative duties than you think.)
- If sensitive documents are lost or stolen, you or your business could be held responsible for this and sued.
At best, email is a confusing option for sending and receiving medical info. It’s a popular method, but so are online cloud storage platforms. Unfortunately, those come with their own risk as well.
Are Cloud Storage Services Better For Security?
Not really. Cloud storage systems like Dropbox and Google Docs may be popular for sharing medical records online, but they’re just as susceptible to security problems as email. Maybe more so.
Dropbox has had a number of security breaches over the years, one of which affected more than 60 million users at one time.
Cloud storage services like Dropbox also run the risk of your data not being deleted when you want it to.
Reference the infamous 2016 case when Dropbox “repopulated” millions of files onto people’s accounts that had supposedly been deleted—then consider how that might play out in court if the documents in question were someone else’s medical files.
Secure Portal For Medical Record Sharing
A secure online portal is much safer than emailing medical records. It’s also the most efficient method for medical providers and attorneys with timely information.
All ShareScape documents are persisted using Server-Side Encryption with Amazon S3-Managed Keys and protected by identity verification. This ensures the party requesting PHI has been authorized to do so.
Further, all communication between ShareScape services and connecting clients is encrypted over the wire with industry standard TLS.
Request a demo today and learn how ShareScape can help your business safely and securely send medical records.