• E-mail
• Print
• RSS

Q: Can a covered entity provide copies of a patient's designated record set via the Web by sending the patient an e-mail when his or her records are available? Does this vary from state to state?

HIPAA Weekly Advisor, August 20, 2007

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

A: A covered entity can distribute records via a Web site as long as it adheres to the following:

• The organization has appropriate security to authenticate the patient, generally by providing patients with an initial login ID and password "out of band," meaning through the mail or in person
• The Web site is secure (at least 128-bit encrypted)
• The records are available on the site for pickup for only a set period of time
• There is an audit trail that the organization reviews periodically

When signing up new patient users, it is a good idea for your covered entity to provide patients with a onetime-use password and require them to change it to a strong password (i.e., at least six to eight characters in length, discouraging the use of names or Social Security numbers, and requiring the use of both alpha and numeric characters in the password).

There are no additional restrictions in state law as it relates to the way you convey information to the patient. There may be restrictions regarding content (e.g., a patient cannot view certain types of records, such as mental health records, without the review of a professional to determine whether the information could be harmful to the patient or others, etc.), but as long as you have installed appropriate security, state laws generally do not prohibit such exchanges.

Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive