Patients’ Access Rights Mean New Requirements

Covered entities (CEs) and Business Associates (Bas) will need to ensure they can produce an electronic copy for patients if that is how data is kept.  CEs will also have to give patients the option of receiving their records through unencrypted emails and other electronic formats considered to be “unsecure” while warning them of risks.

  •         Update policies and procedures patients’ and individuals’ rights under the new HITECH Act final rules issued on March 26 that will necessitate change in medical records policies and procedures by CEs and BAs.
  •         Tighter timeframes to produce patient records as well as new mandate to restrict protected health information (PHI) from going to a patient’s health plan under specific circumstances.
  •         The provisions regarding patient access are likely to be an early focus of attention by the Office for Civil Rights. 


Implementation Challenges:

  •        Sending PHI in an unsecured manner to patients, if that is their wish. 
  •         The security rule says you should be encrypting where reasonable and appropriate, but the security rules do not undermine the patient’s right to receive communications in the location, form and format they request as provided for under the privacy rule first adopted in 2003.
  •        CEs are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. 
  •         The CE is expected to notify the individual that there may be some level of risk that the information in the email could be read by a third party.  If the individual is notified of the risks and still prefer unencrypted email, the individual has the right to receive PHI in that way, and CEs are NOT responsible for unauthorized access of PHI while in transmission to the individual based on the individual’s request.  Also, CEs are NOT responsible for safeguarding information once delivered to the individual. 


It is suggested that you document that you have discussed the risk involved with sending PHI in an unencrypted email and place the document in the patient’s electronic file. 


Contact Ann Deen at with questions.