Compliance Question of the Week

Compliance Question of the Week

You have a practice that is wondering if they send email internally (Physician to PA) containing only the patient's medical record number, if that is acceptable under HIPAA?

Healthcare Compliance Pros Response:

Under the HIPAA Privacy Rule, covered health care providers are allowed to share PHI electronically (or in any other form) for treatment purposes, as long as they apply reasonable safeguards when doing so. For example, a physician may consult with another physician by email about a patient's condition. In addition, the Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. 164.530(c)

Based on the facts restated above, health care providers are allowed to share PHI electronically. In our opinion, only sending the patient's medical record number without a name or any other personal information is a reasonable safeguard, and it would be acceptable under HIPAA. This would not be against HIPAA regulations.

If you have any additional questions or require further assistance, please do not hesitate to contact one of our professional consultants.