Daniel Solove via Teachprivacy.com 11/29/2018
Have you ever asked your healthcare provider to send you medical records by email? Most likely, you’ve received the reply: “We can’t do that. We can only fax them to you or provide you with a paper copy.” This answer is wrong.
HIPAA’s right for individuals to access their health information, 45 CFR § 164.524, provides:
The covered entity must provide the individual with access to the protected health information in the form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable hard copy form or such other form and format as agreed to by the covered entity and the individual.
Further, HIPAA provides:
[I]f the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
Let’s say that you want your medical records emailed to you. Your healthcare providers says that it will only provide records to you in person or via fax. But who really has fax machines these days? This technology went out with the dinosaurs. You don’t want to trek down to the facility, so you insist on the records being emailed to you. You are told that there’s a policy against emailing medical records because it is too insecure — doing so would violate HIPAA.
But the truth is the other way around. HIPAA requires that the patient request be granted — even if insecure (though there are easy ways to send documents securely via email).
HHS’s guidance provides the following concrete examples — I’ve bolded the most important points:
Read more here