Please correct me if I am wrong, but I thought we had discussed that if a patient request their medical records by email and acknowledge that is not a secured transmittal, we still should comply with what ever format they have requested, within reason.
After review of our Cyber Security Risk Assessment by an outside company, they are saying email should not be a form of ePHI and the company assumes liability until the delivery of the medical records to the patient.
Thoughts/discussion on this would greatly be appreciated.
Denise Gilley
------------------------------
Denise Gilley
Site Supervisor, HIPAA Privacy Office
Urology Centers of Alabama
Cullman,AL
------------------------------