Is It Okay to Email Medical Records to Patients Under HIPAA?
Yes, it can be. HIPAA does not ban emailing medical records to patients. What HIPAA does require is that you handle the request under the right framework, apply reasonable safeguards, and comply with the Security Rule where electronic protected health information is involved.
Clinics often get tripped up because they treat “emailing records” as one scenario. In reality there are two distinct situations with different expectations. The first is when a patient is exercising their HIPAA right of access and wants their records delivered by email. The second is when you are using email as a routine communication channel about care. Both can be permissible, but the compliance reasoning is not identical.
Informational note: This article is for informational purposes only and does not constitute legal advice.
Scenario 1: The patient is requesting records under the HIPAA right of access
When a patient is asking for their medical records, they are usually invoking the HIPAA right of access under 45 CFR 164.524. In that context, email is not an exotic delivery method. HHS guidance states that covered entities must provide access in the manner requested by the individual to the extent the copy would be readily producible in that manner, and it explicitly treats mail and email as generally readily producible. HHS also states it expects all covered entities to have the capability to transmit PHI by mail or email, with limited practical exceptions such as email file-size constraints for large diagnostic images.
This matters because some clinics attempt to force in-person pickup or portal-only delivery. HIPAA does not let you impose unnecessary barriers like requiring a patient to travel to your location if they request the records be mailed or emailed, assuming the records are readily producible that way.
Timing still applies
Emailing the records does not change the timeline. HIPAA requires you to act on the access request no later than 30 calendar days from receipt, with only one permitted extension of up to 30 additional calendar days if you provide the required written explanation and expected completion date within the initial 30-day period.
Form and format still apply
If the records are maintained electronically and the patient requests an electronic copy, HIPAA expects you to provide an electronic copy in the form and format requested if it is readily producible, or in an alternative readable electronic format that you and the patient agree to. That is why email often becomes the practical channel: it is a simple way to deliver PDFs or other readable electronic files.
Can the patient request unencrypted email?
Yes. HHS guidance is explicit that transmitting PHI by email generally does not present unacceptable security risks to the covered entity’s systems, even though there can be security risks to PHI while in transit, including when an individual requests and accepts the risks of unencrypted email.
HHS also answers the downstream concern that usually stops clinics. If a patient requests that records be sent in an unsecure manner, such as unencrypted email, and the clinic warns the patient and the patient accepts the risk, the clinic is not responsible for a disclosure that occurs while the PHI is in transmission to the individual based on that request. That does not eliminate your obligation to apply reasonable safeguards in implementing the request, such as correctly entering the email address.
The practical compliance posture is that “patient requested unencrypted email” is not a verbal shrug. It is a documented preference. Your documentation does not need to be theatrical. It needs to show the patient was warned of the risks and still preferred that method.
When can a clinic refuse email delivery?
HIPAA does not require a clinic to accept a requested delivery method that introduces an unacceptable level of security risk to the PHI on the clinic’s systems. The classic example HHS gives is connecting an outside device directly to your systems, which may be unacceptable based on your Security Rule risk analysis. In those cases you are expected to offer an alternative method of providing electronic access.
Email is generally not treated that way. The “unacceptable risk” carve-out is aimed at protecting your internal environment, not at forcing patients into inconvenient delivery methods.
Scenario 2: You are emailing a patient about care, not fulfilling a formal records request
HIPAA also permits providers to communicate with patients by email about health issues and treatment, as long as you apply reasonable safeguards. HHS gives examples such as checking the email address for accuracy and taking precautions to avoid unintentional disclosures. HHS also states the Privacy Rule does not prohibit unencrypted email for treatment-related communications, but you should apply other safeguards to reasonably protect privacy, such as limiting the amount or type of information disclosed through unencrypted email, and ensuring compliance with Security Rule requirements where electronic PHI is involved.
This is where clinics often get sloppy. “Allowed” does not mean “anything goes.” If you are emailing treatment content routinely, that email thread becomes part of your PHI handling reality. It can end up on phones, laptops, backups, and mail servers. That is not a reason to avoid email entirely, but it is a reason to be disciplined about what you put into email and how you control access.
Reasonable safeguards in practice
HIPAA’s Privacy Rule requires appropriate administrative, technical, and physical safeguards to protect privacy, and it specifically requires covered entities to reasonably safeguard PHI from any intentional or unintentional use or disclosure that violates the Privacy Rule. HHS’s email FAQ gives practical examples, and the regulation is not subtle about the expectation that safeguards exist.
For email delivery of medical records or record excerpts, “reasonable safeguards” usually means designing for the most common failure modes:
Misaddressing the email is the biggest clinic-generated risk. If you do nothing else, you want a consistent verification step that prevents sending records to the wrong person’s inbox.
Over-disclosing is another common mistake. If you are sending records for a specific purpose and minimum necessary applies to the context, avoid defaulting to “send everything” unless it is justified. For right-of-access deliveries, you are providing what the patient requested, but you still want to avoid attaching unrelated third-party information that is not part of the patient’s designated record set or that is otherwise excluded.
Finally, avoid building processes that create barriers. Requiring patients to appear in person solely to request records, or forcing portal-only delivery when email is readily producible and requested, can create unnecessary friction and can lead to complaints.
Security Rule overlap: what HIPAA expects when records are emailed
When medical records are emailed, you are transmitting electronic PHI. The Security Rule requires technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. HIPAA does not mandate one specific technology in every case, but it does require that you implement measures based on your risk analysis, and it treats encryption and integrity controls as addressable implementation specifications under the transmission security standard.
This is why the best clinic posture is usually to offer a secure default option, such as portal delivery or encrypted email, while still honoring a patient’s request for unencrypted email under the right of access when the patient is warned and accepts the risk. That approach respects both patient autonomy under the access right and your obligation to manage security risk on your systems.
Confidential communications requests can change the channel
HIPAA gives individuals the right to request communications of PHI by alternative means or at alternative locations, and providers must accommodate reasonable requests. This comes up often in email contexts. Some patients want email instead of postcards. Others do not want email at all and prefer mail, phone, or a portal. If the request is reasonable, you are expected to accommodate it.
Operationally, this is not complicated if you track it. It becomes complicated only when patient preferences live in memory rather than in a system.
Patients can also direct you to email records to a third party
HIPAA allows an individual to direct a covered entity to transmit PHI directly to another person or entity designated by the individual. The request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. HHS guidance notes you may accept an electronic copy of a signed request and may accept an electronically executed request with an electronic signature.
Clinics should treat these as right-of-access requests with a destination field, not as random third-party disclosures. The same basic access expectations around timeliness and form and format still apply.
Practical takeaway
Emailing medical records to patients is permissible under HIPAA when done correctly. Under the right of access, patients generally have the right to receive records by email if readily producible, including by unencrypted email if they request it and accept the risks after being warned. Outside of formal access requests, providers may email patients about care if they apply reasonable safeguards and comply with Security Rule expectations for protecting ePHI in transmission.
If your clinic is handling these requests through scattered inboxes and ad hoc steps, you will eventually misaddress an email or miss a deadline. Tools exist to track access requests, delivery preferences, documentation of warnings and patient choices, and deadline management. That is where a platform like Timber can provide real operational value without changing any legal requirements.
Sources
HHS OCR, Individuals’ Right under HIPAA to Access their Health Information (form and format, mail and email as readily producible, unencrypted email risk acceptance, timeliness).
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
HHS OCR FAQ 570, Email communications with patients (reasonable safeguards, unencrypted email not prohibited for treatment-related communications, Security Rule reminder, confidential communications).
https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html
45 CFR § 164.524, Right of access (timeliness, form and format, individual-directed transmission to third party).
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
HHS OCR FAQ 2060, Unsecure mode of transmission requested by the individual and unacceptable risk to systems concept.
https://www.hhs.gov/hipaa/for-professionals/faq/2060/do-individuals-have-the-right-under-hipaa-to-have/index.html
HHS OCR FAQ 2061, Not responsible for interception in transit when individual requested unsecure transmission and was warned and accepted the risk.
https://www.hhs.gov/hipaa/for-professionals/faq/2061/is-a-covered-entity-responsible-if-it-complies/index.html
HHS OCR FAQ 2036, Directing PHI to a third party (written, signed, clear recipient and destination).
https://www.hhs.gov/hipaa/for-professionals/faq/2036/can-an-individual-through-the-hipaa-right/index.html
45 CFR § 164.530(c), Privacy Rule safeguards standard.
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
45 CFR § 164.522(b), Confidential communications request requirement.
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.522
45 CFR § 164.312(e)(1), Security Rule transmission security standard (encryption and integrity controls are addressable implementation specifications).
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312