A caller requests their medical information via email. What is a compliant approach?

Protecting PHI and using secure channels is essential. When a caller asks for medical information by email, the compliant approach is to avoid sending PHI through unsecured email, verify the patient’s identity, and share the information through a secure portal or another approved, secure method. This protects privacy and meets HIPAA privacy and security requirements, ensuring the information goes to the right person through a trusted channel. Emailing PHI unsecured—even if the address on file is used—can expose sensitive data to interception. Simply forwarding the request to a physician or having the patient come in person doesn’t address delivering the information securely in response to an email request. If the patient cannot be reached securely, an alternative secure method should be used or an in-person/alternative compliant process should be offered.