HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Jun
23

Q&A: E-mailing PHI

Email This Post Print This Post

Q: Is it considered a breach if a covered ­entity ­requests that an individual send protected health information (PHI) via e-mail but does not provide instructions for how to do so ­securely? Shouldn't the covered entity recommend that the individual encrypt the e-mail to protect the PHI from interception?

A: It is not considered a breach if a covered ­entity requests that an individual send PHI via ­e-mail. ­However, it may be a violation of the HIPAA ­Security Rule technical safeguards if the covered entity requests the information but does not provide the ­individual with a way to encrypt the PHI.

If the unencrypted e-mail containing the PHI is intercepted by an unauthorized party, it would be considered a breach. ­Appropriate practice (and a way to reduce legal risk) would be to ask an individual not to send PHI unencrypted over the Internet.

This tip was adapted from the July issue of Briefings on HIPAA. More information about Briefings on HIPAA is available at the HCMarketplace.

Categories : HIPAA Q&A

Leave a Reply