HIPAA Compliant Electronic Health Record Transfer

by Juan Martin Palomo DDS, MSD


My presentation at the upcoming AAO meeting in New Orleans will address common questions regarding the use of email for the transfer of patient records. The transfer of electronic health record in compliance with HIPAA (Health Insurance Portability and Accountability Act) does not seem to be a requirement for every orthodontist.  Only “covered entities” under HIPAA are subject to the standards, though it is still good business practice to make sure that health records are stored and sent using proper security, even if a provider is not a “covered entity”.

There is no “one size fits all” approach for covered entities when it comes to using appropriate safeguards for the transmission of EHR (Electronic Health Record).  The amount, type and destination of the EHR sent is used to determine what safeguards should be in place for a provider.  The Secretary of Health and Human Services (HHS) does not adopt a single industry-wide standard for encryption.  The most specific guidance available from HHS can be summarized as such:

“The Security Rule does not expressly prohibit the use of email for sending EPHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to EPHI.  The standard for transmission security also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI (Protected Health Information) as it is transmitted, select a solution, and document the decision. The Security Rule allows for EPHI to be sent over an electronic open network as long as it is adequately protected.”

The objective at task is to send sensitive information to a specific recipient, eliminating the risk of interception or visualization by others. When a client uses webmail services, all information, including email text and all attachments both received and sent are stored in the sender’s webmail service’s server.  Depending on the webmail services, this may be a secure encrypted server or not.  The AAO provides a secure encrypted server to their members that use the AAO webmail.  When an email attachment is sent, usually, a copy of the information goes from the sender’s webmail service’s server to the recipient’s email service’s server.  The message and its attachments could be intercepted during such transfer, and/or the recipient’s server could be a non-secure destination.

My presentation at the AAO annual session will present three techniques for legally transmitting patient information via email. See you on Saturday morning at the AAO.

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.