HIPAA Guidelines For Mailing Medical Records to Patients

The HIPAA rules set forth strict guidelines that healthcare providers and organizations must follow when mailing confidential medical records to patients. Failure to do so can result in unauthorized access to PHI or other sensitive data, and ultimately lead to costly penalties.

While HIPAA does allow patients to sue healthcare facilities or workers for violating patient privacy, such lawsuits are rare. Unless the violation is due to gross negligence and professional malpractice, most patients will choose to report the healthcare provider or facility to the OCR instead of filing a lawsuit.

Can a healthcare provider charge a fee for mailing medical records to patients?

The Privacy Rule permits covered entities to charge individuals a reasonable, cost-based fee for providing them copies of their PHI. The fee may include the costs of labor to locate and review the information, and segregate, collect, compile, or otherwise prepare the information for copying. It also may include the costs of supplies and postage.

When sending medical records to patients, it is important to remove all identifiers from the paperwork. This includes the patient’s name, date of birth, address, and any other information that could connect the individual to their health history. It is also important to ensure the proper security measures are put in place to safeguard the documents during transit. In addition to physical damage, sensitive documents are prone to hacking, which can lead to serious violations of patient privacy and expensive penalties for healthcare providers.