hipaa can you send patient portal information to patient via usps

by Abbigail Nitzsche 8 min read

Patient Portals and the HIPAA Security Rule - Compliancy …

35 hours ago Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530 (c). >> Go To The Portal


To encrypt email communication completely, the patient would need to use a HIPAA compliant email messaging service or secure patient messaging software that supports HIPAA-level encryption. Therefore, it is recommended to send messages to patients that are retrieved in a patient portal or other password-protected secure messaging service.

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.Dec 15, 2008

Full Answer

Does the HIPAA Privacy Rule allow health care providers to use email?

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530 (c).

How do I send HIPAA Phi?

Sep 24, 2019 · Send direct by US Mail The final method for sending PHI is through the mail. Here too you must comply with HIPAA rules. In some cases, PHI should even be sent by certified mail, which means the intended recipient needs to sign for it. Certified mail provides prove that the mail was delivered and verifies when it was received.

Is it a HIPAA violation to email patient names?

Can you send patient information via email? Yes, as long as the following three requirements are met: The email is sent within UW Medicine (@u.washington.edu, @uwpn.org, @uwp.washington.edu) or to one of our affiliates (@fhcrc.org, @med.va.gov, @psbc.org, @seattlecca.org, @seattlechildrens.org);

Is it HIPAA compliant to send patient data over text?

Oct 05, 2015 · If this is your first visit, be sure to check out the FAQ & read the forum rules.To view all forums, post or create a new thread, you must be an AAPC Member.If you are a member and have already registered for member area and forum access, you can log in by clicking here.If you've forgotten your username or password use our password reminder tool.To start viewing …

Is USPS mail HIPAA compliant?

When sending PHI via U.S. mail, it is not permitted to use the regular mailing service. At a minimum, PHI must be sent through first class postal mail according to HIPAA. However, under some circumstances PHI must be sent using certified mail.Dec 30, 2020

How do you send a patient's protected health information?

If requested by an individual, a covered entity must transmit an individual's PHI directly to another person or entity designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI.

How do I send my medical records to HIPAA compliant?

The HIPAA mailing medical records to patient rules do not require that any one mailing service be used, nor do the HIPAA mailing medical records to patient rules prohibit the use of any one service. Transmitting paper or other tangible PHI by US Mail or delivery services such as UPS, FedEx, and DHL are permissible.Aug 4, 2021

Is mailing medical records a HIPAA violation?

Answer: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.Nov 3, 2003

Can you send medical information via email?

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.Dec 15, 2008

What is required for emailing of patient health information?

Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.Nov 14, 2021

Can you give patient information over the phone?

Under HIPAA, your health care provider may share your information face-to-face, over the phone, or in writing. ... You are present and do not object to sharing the information.

Can protected health information be emailed?

Answer: The Security Rule does not expressly prohibit the use of email for sending e-PHI. ... The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.

What is the most common HIPAA violation?

1. Failing to Secure and Encrypt Data. Perhaps the most common of all HIPAA violations is the failure to properly secure and encrypt data. In part, this is because there are so many different ways for this to happen.Jul 21, 2021

When can you share patient information?

When a patient is not present or cannot agree or object because of some incapacity or emergency, a health care provider may share relevant information about the patient with family, friends, or others involved in the patient's care or payment for care if the health care provider determines, based on professional ...

What is an example of a HIPAA violation?

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; ...Jan 2, 2022

What is the privacy rule for healthcare?

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.

Can a health care provider send an appointment reminder via email?

For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests ...

Can a patient initiate a communication with a provider?

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

Why do you need to take precautions when using e-mail?

For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.

Why is privacy important in healthcare?

Privacy is essential in the healthcare industry. No one wants their private medical information shared without their consent. For this reason, the “ Privacy Rule ” was established by the U.S. Department of Health and Human Services in 1996. The Health Insurance Portability and Accountability Act ...

What is HIPAA law?

The Health Insurance Portability and Accountability Act (HIPAA) applies to entities that provide healthcare services. Entities affected by HIPAA include: The rules were created in order to protect the private health information (PHI) of individuals.

What does encryption mean in email?

Encryption means the information is disguised so an unauthorized person cannot read it. However, SSL and TLS alone do not provide enough protection. If you’re sending medical information via email you must: Have a method of verifying the identity of the person who is authorized to receive the information.

How to encrypt PHI?

Encrypt the PHI. Have a method of verifying the identity of the person who is authorized to receive the information. Have a method of revoking access to the information when it’s no longer needed or if you sent the information in error. In order to comply, you would need a specialized email encryption service.

When did the HIPAA Omnibus Final Rule come into effect?

The HIPAA Omnibus Final Rule introduced a number of updates in 2013. The updates cover entities that create, store, receive, or transmit PHI. The new rules apply to entities that store electronic information as well as physical records.

Can you fax PHI?

Faxing PHI is another quick and easy method; however, it can be problematic. Often, fax machines are kept in a public area. Incoming faxes might sit in a tray for hours until someone comes to check. In turn, anyone walking by can see printed faxes sitting out in the open.

What is conduit exception?

In this case, the definition of a conduit is an entity that only transmits or transports PHI. Conduits include: US Postal Service, UPS, Fed-Ex, DHL. Couriers and electronic equivalents.

Do You Text or Email Patients?

UW Medicine Compliance reminds you about the responsibility of texting or emailing patients. Please read a text conversation between a clinician and compliance analyst to learn more.

Frequently Asked Questions

Reference: UW Medicine Policy Request to Consider Additional Privacy Protection for Protected Health Information (UH1869) – 104.F10

What is a disclaimer in an email?

A disclaimer on your emails should merely inform patients and recipients that the information is PHI and should be treated as such. Your legal department can assist with the verbiage. The key to remember is that no disclaimers will alleviate your responsibility to send ePHI in a secure manner.

Is email secure for patients?

Some caveats to remember: You must have a fully secure, alternative option for the patient to receive the information. You must inform your patients that their email client may not be secure. If they say they still want the information, it’s then permissible to send it.

Can doctors send PHI to work email?

Doctors sometimes work on cases on home computers and then email PHI to their work email. Unless each of those emails is secured with encryption, that would be considered a HIPAA violation.

Should mass emails be avoided?

Mass emails should be avoided. But, if you do need to send mass messages, use a mail merge program or HIPAA compliant service which creates a separate email for each recipient. The danger of using BCC? Email addresses aren’t usually hidden to hackers.

What is PHI encryption?

Encryption. Encryption is a way to make data unreadable at rest and during transmission. Emails including PHI shouldn’t be transmitted unless the email is encrypted using a third-party program or encryption with 3DES, AES, or similar algorithms. If the PHI is in the body text, the message must be encrypted.

How do you protect messages initiated by patients?

How do you protect messages initiated by patients? According to the HHS, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. Providers should assume the patient is not aware of the possible risks of using unencrypted email. The provider can alert the patient of those risks, and let the patient decide whether to continue email communications. Remember, you must provide alternate secure methods of providing the information to the patient.

Is PHI secure in transit?

HIPAA requires that PHI remains secure both at rest and in transit. That means PHI must be protected (e.g., by unique user accounts and passwords) while sitting on workstations and servers and encrypted each time the email crosses the Internet or other insecure networks.

What is HIPAA?

HIPAA, or, the US Health Insurance Portability and Accountability Act of 1996 has a pervasive effect on how health plans, billing agencies, information systems vendors and related providers function.

HIPAA Complaint Mail Services Through Postal Methods

Health care providers, health plan providers and health care clearinghouses all have to follow HIPAA regulations when it comes to practicing in their industry and working with sensitive patient information.

Secure, No Fuss Online Mailing Service with Postal Methods

If you are a member of the healthcare industry who is ready to send information to patients through a safe, online mailing service, Postal Methods has the HIPAA protection your clients need.

What are the requirements for HIPAA?

HIPAA protects a patient’s medical information and their personally identifiable information. Texting any of this data to someone else constitutes a HIPAA-regulated data transfer. Here are 18 separate identifiers that would make a text subject to HIPAA requirements: 1 Names 2 Addresses 3 Social Security numbers 4 Dates 5 Telephone numbers 6 Fax numbers 7 Email addresses 8 Medical record numbers 9 Health plan beneficiary numbers 10 Account numbers 11 Certificate or license numbers 12 Vehicle identifiers or serial numbers 13 Device identifiers and serial numbers 14 Web URLs 15 Internet Protocol (IP) addresses 16 Finger or voice prints 17 Photographic images 18 Any other characteristic that can identify a patient

What is HIPAA texting?

HIPAA protects a patient’s medical information and their personally identifiable information. Texting any of this data to someone else constitutes a HIPAA-regulated data transfer. Here are 18 separate identifiers that would make a text subject to HIPAA requirements: Names. Addresses.

Is texting secure?

Text messages may appear to be secure, but for healthcare organizations, texts need to be more than secure. Text messaging needs to be HIPAA compliant. Let’s discover whether standard text messages can meet HIPAA’s legal standards.

Is texting encrypted?

However, standard text messages aren’t encrypted, and it’s extremely difficult to encrypt a text message using a standard service. Using a standard text message service to transmit patient data is clearly not HIPAA compliant, and your business could get in serious legal trouble for sending patient data over text.

Can you send PHI through text?

Get permission from patients before you send their PHI through texts. A notable exception to HIPAA’s data security requirements is that you can send a patient texts containing their PHI if they understand the risks involved and have signed a waiver. Consider installing HIPAA-compliant text messaging apps.

Is texting HIPAA compliant?

Standard text messa ging services aren’t HIPAA compliant, but there are specialized apps that comply with all of HIPAA’s security requirements. By developing new messaging habits, you can keep your patient data secure while using text messaging.

Who is Steve Alder?

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA.

Does HIPAA require encryption?

HIPAA does not require the use of encryption. Encryption is only an addressable standard. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place.