A covered entity can only send electronic protected health information (ePHI) through an unsecured app if a patient requests it. If a patient asks to have their ePHI sent through an app that isn’t secure, the responsibility first lies with the covered entity to clearly explain the risks to the patient. If the patient still chooses to proceed after understanding these risks, the covered entity won’t be held responsible for any data breaches that occur after the information is sent
The HHS states, “The Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.”
HIPAA allows healthcare providers to communicate with their patients electronically, including through email, as long as they take reasonable precautions. For instance, before sending an email, providers should verify the email address and might even send a confirmation alert to the patient. Although unencrypted email is not prohibited for treatment-related communications, providers should limit the sensitive information shared and use safeguards to protect privacy.
Under the HIPAA Security Rule, any transmission of ePHI must also meet specific security requirements. Patients have the right to ask for communications through alternative means or locations, and providers must accommodate these requests if reasonable. For example, if a patient prefers receiving appointment reminders via email instead of postcards, the provider should honor this preference.
Patients have the right to access their PHI and direct how it's sent, including through unsecured means like unencrypted email. If a patient requests that their PHI be transmitted in this way, the covered entity must comply but should take reasonable precautions, like confirming the email address.
Although covered entities must inform patients about the risks of unsecured transmission, they are not liable if the PHI is intercepted during transit, provided the patient has acknowledged and accepted these risks. Once the PHI reaches the patient, the entity's responsibility for safeguarding that information ends. However, entities are still obligated to report any breaches of unsecured transmissions.
If a covered entity sends ePHI through an unsecured app at a patient's request, the entity itself is not typically liable for data breaches that occur as a result. The covered entity, however, must inform the patient about the potential risks of using an unsecured app. If the patient understands and still agrees to this method, the covered entity has met its obligation.
The entity must ensure that all other HIPAA requirements are followed, like verifying the patient's identity and documenting the patient's consent for unsecured transmission. While the covered entity should take reasonable steps to protect the ePHI, it is not liable for interceptions or breaches that happen once the information has been sent through the chosen app, as long as the patient was made aware of and accepted the risks involved.
Learn more: HIPAA Compliant Email: The Definitive Guide
Electronic protected health information is any protected health information created, stored, transmitted, or received in any electronic form or media.
The Security Rule is a HIPAA mandate that requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Patients' rights under HIPAA include the right to access their health information, request corrections, and obtain a record of disclosures, along with the right to request confidential communications and file complaints if they believe their rights have been violated.