Can a Patient's Name, Birth Date, and Study date be sent in a plain text email to a referring doc?

Question

I participate in a mailing list where the following question was asked, without satisfactory feedback, and am interested in the correct answer.

Several referring physicians have requested that an imaging center send them a list of patients that are scheduled and completed at the end of each. They wanted the Patient Name, Date of Birth, and date of imaging study included in the email.

The question is, according to HIPAA, does this information need to be secure/encrypted when transmitted to the referring physician? Or, is the information limited enough that it could be sent in a plain text email?

Answer 1

HIPAA does not explicitly require emailed PHI to be encrypted. HIPAA requires "reasonable" protection/consideratoins etc. when emailing PHI.

HIPAA does require secure transit of PHI, which could easily be violated (e.g. using a webmail client over http vs. https).

So it is not directly a breach of HIPAA. HOWEVER, the bottom line is that unencrypted email is a risky approach. You are dependent on email privacy policy adherence, you are dependent on never accidentally sending to the wrong person (which is a required event to report as a HIPAA breach), and other concerns.

DIRECT, as mentioned by Freiheit, is a direct exchange protocol on the uptake that not only ensures the proper recipient, but authenticates the sender as a trusted source as well, through pre-established circles of trust, so to speak.

Other basic services such as Zix (very straightforward secure email service that basically emails your recipient a message "hey, some stuff was sent...click here and prove it's you [login to secure server] to read it).

If it's a theoretical debate on your thread, you can say "technically it's legal". If it's in consideration for building a workflow to share that reason, choose another path.

Some decent opinions/descriptions: http://blogs.hcpro.com/hipaa/2010/01/phi-in-e-mail/

Answer 2

This is personally identifiable health information that was created by a health care provider.

I would think you should encrypt that email. From: http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/

Protected Health Information

To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification. These statutory definitions are of health information and individually identifiable health information.

“Health information means any information, whether oral or recorded in any form or medium, that–

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”