BU Data Protection – Release of Electronic Protected Health Information


This document provides the approved methods for releasing Protected Health Information (PHI) in electronic form, when required or permitted under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA requires Covered Components to provide a copy of an individual’s Protected Health Information in a “designated record set” to the individual or a specified third party, upon request, subject to certain grounds for denial. See BU Info Security Policy 1.3, Boston University and the HIPAA Privacy Requirements

HIPAA permits Covered Components to disclose Protected Health Information with the individual’s authorization and in certain circumstances without the individual’s authorization. See, BU Info Security Policy 1.3, Boston University and the HIPAA Privacy Requirements

This document is an addendum to (and therefore part of) the BU Data Protection Standards.  Departments are permitted to develop local policies, standards and guidelines as long as they are not less restrictive than or contradictory to this document.

Purpose & Scope

“Protected Health Information”, or PHI, is classified as Restricted Use data as defined in the BU Data Protection Standards and must therefore be accorded the strictest protections; however, an individual may request that a copy of his/her own health information be provided to him/her or to a specified third party in electronic format and may even request that those records be sent via an unsecured e-mail account.  The individual may also request a summary or explanation of the medical records.  In all such cases, use the Authorization form and follow the process below.

Standard Operating Procedure

It is strongly recommended that electronic PHI be transmitted via encrypted email (see below for details).  If, and only if, this approach will not work for a given patient/client or in a given situation, there are other acceptable approaches that can be taken in accordance with the individual’s signed Authorization.

In those cases where the electronic PHI is being transmitted without the individual’s authorization (e.g. for treatment, payment, or health care operations purposes, as permitted by HIPAA), the electronic PHI must be transmitted via encrypted email.

Providing data via a secure e-mail (recommended)

DataMotion SecureMail is provided for the purpose of sending sensitive information via e-mail securely.  SecureMail encrypts all the mail messages and provides a record when those files have been retrieved by the recipient.  It is recommended that Covered Components use the e-mail form provided in Appendix A whenever records are sent to a patient/client via e-mail (whether or not encrypted).

Providing data via CD (recommended)

Covered Components may copy requested records to a blank CD and provide that CD to the recipient as directed on the Authorization form.

Providing data via a personal e-mail account (not recommended; only upon Client request)

The patient/client may request that the files be provided via an unsecured e-mail account.  Covered Components are permitted to accede to this request, and the Authorization form provides for this type of request, provided that the individual accepts responsibility for the security of the information that is being transmitted.  It is recommended that Covered Components use the e-mail form provided in Appendix A whenever records are sent to a patient/client via e-mail.

USB sticks provided by the covered entity (acceptable)

It is understood that some patients/clients do not have easy access to a computer.  Covered Components wishing to accommodate this may, at their option, have a stock of USB sticks on hand for use in providing medical records for patients/clients that make this specific request.  The Authorization form provides for this type of request.  Covered Components not wishing to provide this option may remove it from the Authorization form.

Important: Once a USB stick has been provided to the patient/client, it is no longer to be trusted. Do not accept it back or inserted into any computer.  See below.

Providing data via USB stick provided by the clients (prohibited)

Do not insert unknown USB sticks into your computer. USB sticks may be infected with malicious software which would allow someone to compromise your computer system and take control of it by simply inserting the USB stick into your computer.

Unless a USB stick has come directly from a trusted source—has been newly purchased or has been provided by your IT organization—it should not be trusted.

Once a USB stick has been in the control of a patient/client or other unknown person, do not accept it back and do not insert into your computer.  For example, a patient/client having their own computer with them may request that records be provided to them via a USB stick.  If you use even your own USB stick to provide those records that USB stick might be infected with malicious software (either purposefully or unknown to the patient/client) when the patient/client inserts that stick into their computer.

Providing data in the form of physical printouts (acceptable)

If none of the approved electronic means are acceptable to the patient/client, the Covered Component is permitted to provide the requested records in the form of a fax or physical printouts.

Recommended email communication form

The message below contains important information for any patients/clients receiving messages containing medical records or health information via e-mail.  It is recommended that you use this form when sending medical records or health information to any patient/client via e-mail, whether that message is sent via secure mail or sent to a personal e-mail account, in accordance with this policy.

Dear <name>,

The medical records or health information you requested on <date> is attached to this message.  Remember that you are responsible for the security of this information.

Most commercial e-mail solutions are not encrypted; this information may be read by anyone with access to your e-mail account.  Similarly, if you copy this information to a computer or other electronic device, it may be accessible to anyone that has access to that device.



<Organization name>



If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, a reasonable, cost-based fee may be imposed, provided that the fee includes only the cost of:

  • Labor for copying the protected health information requested by the individual, whether in paper or electronic form;
  • Supplies for creating the paper copy or electronic media if the individual requests that the electronic copy be provided on portable media;
  • Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
  • Preparing an explanation or summary of the protected health information.  Any fees required for providing an explanation or summary must be agreed to by the individual prior to being done.


Data Security Incident Reporting

If you suspect that a person is attempting to gain unauthorized access to another person’s medical information, contact your supervisor.

Any unauthorized disclosure or loss of PHI must be reported in accordance with the Data Security Incident & Breach Reporting Policy



Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Boston University.  The unauthorized or unacceptable use of University Data, including the failure to comply with these standards, constitutes a violation of University policy and may subject the User to revocation of the privilege to use University Data or Information Technology or disciplinary action, up to and including termination of employment.


References | History | About


Key Contacts

BU Information Security Policy 1.3, Key Contacts


Date Action By Supersedes
mm/dd/2013 Original Draft Quinn R. Shamblin, Tammy Pruneu, BU Information Security –Original–
mm/dd/2013 Reviewed and Advised BU Information Security Governance Committee –Original–


  • Standard Number: 1.3.2
  • Effective Date: xx/xx/2013
  • Policy applicable for: All
  • Responsible Office(s): BU Information Security
  • Policy Owner and Source of Approval: Information Security & Business Continuity Governance
  • Associated Standards/Regulations: Health Insurance Portability and Accountability Act (HIPAA)