For years, medical practices have been distributing patient records back and forth via email. So you may ask yourself, “if it's not broke, why fix it?” Well... it actually is broken. Apart from being an inefficient way to distribute large files, refusing to invest in a secure platform to send and receive sensitive data can cost your practice more than money.
How Did We Get Here?
After the dot com explosion in the early 2000s, email quickly became the go-to for sending a message in both the personal and professional world. But, what happens to that medical record once it's emailed? Is it safe?
In today’s digital age, data breaches are becoming increasingly widespread. When it comes to medical data breaches, one ProPublica article found that millions of medical records were not securely stored. According to the piece, “Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser and a few lines of computer code can view patient records.”
The 2021 HIPAA Journal Healthcare Data Breach Report indicates that email is the second most common location of breached healthcare data just behind network servers, and the frequency is increasing. "April [had] 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month." You may be thinking, "but that could never happen to me" and you may be right, but what would happen if it does?
Is It Legal to Email Medical Records?
The short answer is yes, but be very careful. The HIPAA Security Rule does not expressly prohibit the use of email for sending electronic PHI. However, "the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications" (Enguard).
Doctors and their staff are required by law to have in place proper safety and security measures when dealing with e-PHI. If they fail to do so, serious consequences can occur. According to HIPAA, it is the responsibility of healthcare providers and their staff to ensure all medical records are encrypted when transmitted via email. Sharing medical images in a HIPAA-non-compliant fashion can not only expose you to large fines but also potentially criminal liability (up to $1.5 million!).
Should I Stop Emailing Medical Files?
Regardless of these risks, many doctors have the immediate need to receive access to patient images anywhere at any time. So, how can you do so without exposing your practice to risk? It is important to understand all of the HIPAA regulations surrounding this topic in order to make an informed decision on what is best for your practice. As stated previously, it is not illegal to email medical records, but if you choose to do so you will need to understand the extra steps you will need to take in order to protect yourself.
If you're uncomfortable with the risk associated with emailing medical records, you may want to consider a purpose-built solution for access and storage of medical records. As you explore options, be sure to find a partner who protects the quality and security of your patients' medical records (hint: it's not DropBox either).