Emailing X-rays can be a HIPAA violation if not done through a secure platform that offers encryption, access controls, and audit controls to protect patient privacy.
HIPAA and PHI
The Health Insurance Portability and Accountability Act (HIPAA) safeguards protected health information (PHI), including any information that can identify a patient and is related to their health condition or treatment. So, X-rays that contain identifiable patient information will fall under PHI.
The HHS also explains that patients have the “right to receive [their] PHI… maintained by a covered entity in a designated record set, such as a medical record [including] X-rays or other images in the record.” So, providers must share X-rays with patients upon request, either in person or through secure emails.
However, emailing X-rays can be risky if security measures, like encryption, aren’t implemented. Unencrypted emails can be intercepted, leading to unauthorized access, violating patient privacy, and breaching HIPAA regulations, which can result in fines and legal repercussions.
How to safely email X-rays
1. Patient consent: Providers must obtain explicit patient authorization before emailing patient X-rays that contain PHI.
2. Encryption: HIPAA compliant emailing platforms, like Paubox, automatically encrypt all outgoing emails. Their advanced encryption transforms the email content into a coded format that only authorized recipients can read, protecting emailed X-rays during transmission and at rest.
3. Access controls: Providers must implement access controls, like two-factor authentication (2FA), so only authorized staff can access emails with X-rays. Additionally, role-based access controls ensure that staff only access the information necessary for their roles.
For example, a receptionist should not have the same level of access to patient X-rays as a radiologist to protect patient privacy and promote a culture of data security within the organization.
4. Audit controls: HIPAA compliant emails can help providers track and monitor the transmission and access of emails containing PHI. These audit logs can help providers identify unauthorized access attempts and respond to potential breaches.
5. Training: Provider organizations must regularly train their staff on HIPAA compliance. Specifically, staff must know how to securely send X-rays via HIPAA compliant emailing platforms and how to properly handle PHI.
6. Business associate agreements (BAAs): If providers use a third party to send the email, like a HIPAA compliant emailing platform, there must be a business associate agreement in place so the third party is also bound by HIPAA regulations and will protect patient PHI.
FAQs
Does HIPAA apply to emailing X-rays?
Yes, X-rays often contain protected health information (PHI), so providers must use a HIPAA compliant emailing platform, like Paubox, to secure emailed X-rays during transmission and at rest.
Can patients request copies of their X-rays?
Yes, HIPAA allows patients to request copies of their medical records, including X-rays. Providers can securely fulfill these requests either in person or via HIPAA compliant emails.
Can HIPAA compliant emails include attachments?
Yes, HIPAA compliant emailing platforms, like Paubox, automatically secure attachments like X-rays and other medical records to protect patient privacy.
Read also: Does HIPAA apply to medical imaging?
