With changes to the Privacy Rule and Health Insurance Portability and Accountability Act requirements, many dental offices question how and when they are required to provided their patients with Protected Health Information (PHI) when they request it.
In general, covered entities are required to provide PHI to a patient if the record is:
- Maintained by the office
- Maintained by a business associate of the office
Covered entities must provide access to PHI regardless of if the information is maintained in paper or electronic format. The office must try to provide the PHI in the patient’s preferred format.
If a patient requests an electronic copy of PHI that your office only has a paper version of, you must try to provide the information electronically. For example, scanning the document and emailing it to the patient.
With the new clarification from the Office for Civil Rights, covered entities are allowed to send PHI with unsecure email. But, before you send unsecured PHI, make sure you:
- Explain the possible risks of using unsecure email
- Confirm the patient still wants their PHI sent unsecure
Once those steps are taken, you can send your patient’s PHI via unsecure email. But, your office still might want to consider a secure email service, so you can communicate with other dental offices and/or meet requests from patients who want their PHI sent securely.
Phase two of audits is beginning. Get more specific information on HIPAA requirements at www.hhs.gov/hipaa to make sure your practice is compliant.
The Digital Dental Record is your independent resource and trusted advisor for HIPAA-compliant business and technology solutions. Visit us at www.dentalrecord.com.
Read more about the HIPAA audits at wda.org/blog/16979.
