HIPAA Rules on E-Mailing X-Rays

Emailing X-rays has the same regulations as all other medical records.
••• x-ray image by Claudio Calcagno from Fotolia.com

HIPAA (Health Insurance Portability and Accountability Act) regulations protect the medical records of patients when they are sent from one party to another. Medical records include any information about the medical history of a patient, his family or exam and test results. These results include X-rays. HIPAA has certain policies that govern how X-rays may be sent using email.


According to HIPAA statutes, it is legal to mail an X-ray, although all X-rays must be encrypted or be sent through a secure portal. Also, all emails sent with X-rays attached must be authorized or allowed under the current HIPAA regulations. This means that providers may send X-rays to insurance agencies, insurance billing companies or other doctors. If a patient authorizes the mailing of X-rays via unprotected or unencrypted email or to a person outside of those listed above, the email is HIPAA compliant.

Types of Encryption

The two major types of email encryption that can be used for emailing X-rays are S/MIME and PGP. S/MIME uses certificates of authority, which authorize the sending of emails between two computers. There are advantages and disadvantages to this type of encryption; the advantage is that most mail clients use this type of encryption, and the disadvantage is that you have to authorize a computer to send or receive encrypted emails.

The second type of email encryption is PGP, which does not use certificates for encryption, but instead creates encryption keys itself. PGP is free whereas S/MIME often costs money.


There are penalties for violating HIPAA standards by sending emailed X-rays over networks that are not secure or to persons who are not authorized to receive the X-rays. The most common types of violations that involve emailed X-rays would be if a person who is not authorized accesses X-rays either because the X-rays were not encrypted, because they were sent to the wrong email or because the computer on which the X-rays were stored was accessed by an unauthorized person. The penalty for this violation can be up to $50,000, usually depending on the amount of damage incurred because of the violation. Any purposeful emailing of X-rays to an unauthorized person or over an unencrypted network could result in incarceration.

Related Articles