From the ADA News:
…the Health Insurance Portability and Accountability Act that requires covered dentists to use unsecure email to send information to a patient as long as the patient requested it be sent that way.
What this clarification does not say is that dentists can send patient PHI to colleagues via unsecured e-mail. Doctor to doctor communication about patients needs to be secure.
What is does say is that dentists can – in fact are required – to send PHI to patients if they request it. In other words if a patient wants a copy of their record and asks that it be sent via regular e-mail the office can do so without penalty.
Actually it goes even further than that. The office is “required” to send it. Patients do have a right to their own records according to the law. Some offices have been refusing to send these records citing HIPAA as the reason they will not send records. The clarifications says no that is not right, an office is obligated to send the records even if the patient request them in an insecure fashion.
For a no charge tech assessment and full HIPAA compliance package check out PCIHIPAA.