Q: Is it considered a breach if a covered entity requests that an individual send protected health information (PHI) via e-mail but does not provide instructions for how to do so securely? Shouldn't the covered entity recommend that the individual encrypt the e-mail to protect the PHI from interception?
A: It is not considered a breach if a covered entity requests that an individual send PHI via e-mail. However, it may be a violation of the HIPAA Security Rule technical safeguards if the covered entity requests the information but does not provide the individual with a way to encrypt the PHI.
If the unencrypted e-mail containing the PHI is intercepted by an unauthorized party, it would be considered a breach. Appropriate practice (and a way to reduce legal risk) would be to ask an individual not to send PHI unencrypted over the Internet.
This tip was adapted from the July issue of Briefings on HIPAA. More information about Briefings on HIPAA is available at the HCMarketplace .