Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 482 Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?

Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?

Final

Issued by: Office for Civil Rights (OCR)

Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?

Answer:

Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.

For example:

  • A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.
  • A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.
  • A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.
  • A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.
  • A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.
  • A physician may consult with another physician by e-mail about a patient’s condition.
  • A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.

The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.

Date Created: 11/03/2003

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.