The Final Omnibus Rule1 implementing revisions to the Health Insurance Portability and Accountability Act (“HIPAA”) has been in effect for over one year now. While providers have had time to digest the changes brought about by the Final Omnibus Rule, certain provisions continue to cause difficulties from a practical perspective. One such provision is the expanded patient rights to access certain protected health information (“PHI”),2 which requires covered entities to not only provide electronic copies of information in a designated record set3 but, according to The Department of Health and Human Services’ Office for Civil Rights (“OCR”) commentary, also requires covered entities to email the electronic PHI (“ePHI”) to patients upon request and provide encryption for such emails unless the patient requests otherwise.4
History of the Electronic Access Requirement
Over the past ten years, HIPAA has resulted in the promulgation of several rules applicable to “covered entities,” including the Privacy Rule,5 the Security Rule,6 the Enforcement Rule,7 the Breach Notification Rule and, most recently the Final Omnibus Rule. The Privacy Rule included certain patient rights, including the right to access information held in a designated record set.
Section 13405(e) of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the HIPAA Privacy Rule to require that “in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual” the individual “shall” have the right to obtain the protected health information in an electronic format.8 In the Final Omnibus Rule, OCR noted that while Section 13405(e) by its terms is limited to covered entities who maintain or use an electronic health record, “incorporating these new provisions in such a limited manner in the Privacy Rule could result in a complex set of disparate requirements….”9 Therefore, OCR in its amendments to the Privacy Rule expanded this section of the HITECH Act to include all PHI maintained in one or more designated record sets electronically and not just the PHI contained in an electronic health record. Further, 45 C.F.R. §164.524(c)(2)(ii), as revised, requires that the health information be provided in the “electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.”10
In commentary to the Final Omnibus Rule, OCR noted that it was allowing a certain degree of flexibility with regard to the determination of the “form or format” in which the electronic information would be provided. Specifically, OCR noted “because we did not want to bind covered entities to standards that may not yet be technologically mature, we proposed to permit covered entities to make some other agreement with individuals as alternative means….”11 OCR observed that PDF is one widely recognized format. If the covered entity is unable to produce the electronic information in the form and format as requested by the patient, the covered entity must offer other electronic formats.12
Patient Right to Receive Information Via Email
Neither the HITECH Act nor the revised regulation specifically mentions a requirement that covered entities make PHI available by email. As noted above, OCR gave covered entities flexibility in the form and format, noting that “[a] covered entity is not required to purchase new software or systems in order to accommodate an electronic copy request for a specific form that is not readily producible…provided that the covered entity is able to provide some form of electronic copy.”13 However, OCR has provided increasingly specific guidance related to its apparent expectation that covered entities accommodate individuals’ requests for email communications and, more recently, its expectation that covered entities have the ability to encrypt such emails unless the individual requests otherwise.
The concept of a patient requesting electronic information through email first arose in the Proposed HITECH Rules which were published on July 14, 2010.14 As a corollary to the discussion of the “form or format” of electronic information, OCR noted that a covered entity could assess a reasonable cost-based charge for electronic media, such as a USB flash drive or CD, when a patient does not provide his or her own. However, OCR further noted that a covered entity could not require a patient to purchase a certain type of media in order to receive the requested information. For example, a covered entity could not require a patient to purchase a USB flash drive in order to obtain access to an electronic record. OCR noted that one option would be to have an individual provide his or her own CD or USB flash drive. OCR further stated “if an individual requests that an electronic copy be sent via unencrypted e-mail…the covered entity would not be allowed to require the individual to instead purchase a USB flash drive.”15 This commentary presented unencrypted email as one solution for a patient who did not want to pay for media to transfer the electronic records, but did not establish the right to receive medical records via email as an independent right. Further, this commentary did not appear to preclude covered entities from coming up with other options, such as providing media free of charge.
In the Final Omnibus Rule, OCR addressed commenters’ concerns regarding the statements related to unencrypted emails in the Proposed Rule. Specifically, covered entities were concerned about the burden associated with educating individuals regarding the risks of unencrypted emails. In discussing its previous statements, OCR took the analysis one step further and stated that individuals have a right to receive unencrypted email. Specifically, OCR stated “if individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way. . . .”16 (emphasis added). The focus of this commentary is on whether entities are permitted to send ePHI via unencrypted email and fails to address whether entities must have the capability to send encrypted emails to patients. It was not until more recently that OCR specifically addressed encrypted email.
In the February 6, 2014 Final Rule titled CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports (“the HIPAA/CLIA Final Rule”) ,17 OCR again addressed the issue of email access to ePHI. Because the main focus of this rule was to remove CLIA and HIPAA barriers to allow patients to directly access laboratory results, the commentary to this rule was in the context of laboratory obligations. However, the guidance is arguably applicable to all covered entities who must comply with patient rights to access provisions. In the commentary to this Final Rule, OCR states that “individuals also may request that a laboratory e-mail an electronic copy of a test report. In e-mailing copies of test reports to individuals, HIPAA-covered laboratories are required to comply with the HIPAA Security Rule, which, among other requirements, requires implementation of technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”18 OCR goes on to state that encryption is required as a security measure when transmitting ePHI, where it is “reasonable and appropriate” and that “in general, encryption is a reasonable and appropriate measure to safeguard email transmissions.”19 OCR recognized that there may be times when patients do not want to receive an encrypted email, and the HIPAA-covered laboratory is “permitted” to send the information via unencrypted email, provided the individual is advised of the risks of such information being sent via unencrypted email.20 This commentary reaffirms patients’ rights to receive access to electronic records through email communications, but also appears to require encryption unless it is the patient’s choice to receive an unencrypted email.
Because encryption of data during transmission is deemed to be an “addressable” implementation specification,21 covered entities must implement encryption if it is “reasonable and appropriate.”22 Covered entities may also choose to “implement an equivalent alternative measure” where it is reasonable and appropriate.23 As discussed above, OCR has taken the position that “in general encryption is a reasonable and appropriate measure to safeguard email transmissions.”24 These comments fail to recognize, however, that covered entities may have chosen not to implement email encryption technology, especially if they do not intend to use email as a means for transmitting ePHI. For example, instead of implementing email encryption solutions, some covered entities might have chosen instead to implement policies prohibiting email as a means for transmitting ePHI. It is unclear from OCR’s recent commentary whether a decision to avoid emailing ePHI is still a viable option for covered entities.
If patients request email communications through the procedures outlined in the covered entity’s HIPAA privacy notice for obtaining electronic access to information, covered entities should either send the requested information with encryption technology or inform the individual of the inability to do so. If individuals wish to receive unencrypted emails, either because of the covered entity’s inability to send encrypted emails or the individual’s preference (e.g., the individual has difficulty with the encryption technology), covered entities should develop policies and procedures to ensure that the patient has been adequately informed of the risks and that such communications have been documented. Although OCR does not provide guidance regarding the type of documentation that should be maintained, covered entities may want to consider utilizing a form that outlines the risks and requires the individual’s signature or the signature of personnel who read the risks to the patient via telephone. As with all HIPAA compliance documentation, documentation of risk notification should be maintained for at least six years.25
As electronic health records become more prevalent due to the “Meaningful Use” program26 and additional patient engagement fueled by healthcare reform, requests for emails from patients will likely increase. While an individual’s right to receive electronic information in an electronic format is clear, OCR’s recent commentary related to a covered entity’s duty to accommodate email requests by utilizing an encrypted solution arguably goes beyond the regulatory requirements of the HIPAA Security and Privacy Rules as currently written. Covered entities should carefully monitor developments and additional guidance in this area. In light of OCR’s recent statements related to patients’ rights to receive email communications, covered entities may want to explore email encryption solutions to accommodate patient requests for email to avoid the possibility of running afoul of OCR’s expectations.
See U.S. Department of Health and Human Services, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (January 25, 2013), available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
Protected Health Information is generally any information that can be used to identify an individual. Individually identifiable health information is defined as that which relates to the “past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual; or the past, present or future payment for the provision of health care . . . .” See 45 C.F.R. §160.103.
A designated record set generally includes medical records, billing records held by a healthcare provider as well as enrollment, payment, claims adjudication, case or care management records held by a health plan. See 45 C.F.R. §164.501.
See 79 Fed. Reg. 25 (February 6, 2014) 7290 at 7302, available at http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf.
67 Fed. Reg. 53182 (August 14, 2002) available at: http://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf.
68 Fed. Reg. 8334 (February 20, 2003) available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf.
71 Fed. Reg. 8389 (February 16, 2006) available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.html. See also the HITECH Enforcement Interim Final Rule at 74 Fed. Reg. 56123 (October 30, 2009) available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.
Health Information Technology for Economic and Clinical Health (“HITECH” Act), Pub Law 111-5, Section 13405(e), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf.
78 Fed. Reg. 17 (January 25, 2013) at 5631, available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
78 Fed. Reg. 17 (January 25, 2013) at 5632, available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Note that this requirement preempts any state laws unless the state laws allow for greater rights of access.
78 Fed. Reg. 17 (January 25, 2013) at 5632, available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
78 Fed. Reg. 17 (January 25, 2013) at 5633, available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
78 Fed. Reg. 17 (January 25, 2013) at 5633, available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
See Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule; 75 Fed. Reg. 40868 (July 14, 2010), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf
Id. at 40902.
78 Fed. Reg. 17 (January 25, 2013) 5634. available at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
79 Fed. Reg. 25 (February 6, 2014) 7290, available at http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf.
Id. at 7302.
Id. at 7302.
45 C.F.R. §164.312(e)(2)(ii).
45 C.F.R. §164.306(d)(3)(i).
45 C.F.R. §164.306(d)(3)(ii)(B)(2).
79 Fed. Reg. 25 (February 6, 2014) at 7302.
45 C.F.R. §164.316(b)(2)(i).
This program, created by the HITECH Act, provides incentives for certain providers to adopt electronic medical records and penalties for those who don’t.