A consultant asks you to forward your son's MRI report to a second-opinion clinic. The hospital portal email lands with the PDF attached, unencrypted. You hit forward. That email now sits in two inboxes, two cloud backups, and probably a spam filter's archive.
Medical records get the heaviest legal protection of any everyday document. Treat them accordingly.
The legal layer
In the US, HIPAA requires covered entities to encrypt PHI in transit and at rest. In the UK and EU, GDPR treats health data as a 'special category' requiring extra safeguards. In Australia, the Privacy Act and My Health Records Act impose similar duties.
None of these laws prescribe a specific cipher. All of them expect what regulators call 'appropriate technical measures'. AES-256 password protection on a PDF clears that bar; sending a raw PDF over plain email does not.
The practical workflow
Download the report from the hospital portal. Run it through Flint's password tool — processing happens in your browser, so the file isn't uploaded to anyone else. Set a strong passphrase.
Email the encrypted PDF to the receiving clinic. Send the password by a different channel — text or a phone call to a known number. Confirm receipt. Delete the unencrypted local copy when you're done.
When to redact
If only part of the record is relevant, redact what isn't. Less data shared means less exposure. For long files, delete pages that aren't needed rather than leaving them visible behind a password.
Don't rely on the recipient's diligence to look only at what's relevant. The principle of data minimisation is in every privacy law and is plain good practice.
FAQ
Does HIPAA require AES-256 specifically?
No, HIPAA references NIST guidance which recommends FIPS 140-2 validated cryptography. AES-256 is well above that bar.
Is a hospital portal enough?
For storage and authorised access, yes. Once a file is downloaded and forwarded, the portal's protection is gone — you need encryption on the file itself.
Can I share medical records with family?
Within your own household, you decide. If you're acting as carer for someone else, follow whatever consent framework applies in your jurisdiction.
What happens if I forget the password?
The file is unrecoverable. Always store passwords in a manager when the content can't be re-downloaded.
Health records carry weight legal and personal. Encrypt them properly before any forwarding.