Can I email a PDF containing patient health information to a colleague?

Only if the email channel is HIPAA-compliant or the PDF is encrypted with a password shared out-of-band. Standard email (Gmail, Outlook personal) is generally not HIPAA-compliant — it transmits in TLS but vendor systems handle the bytes, and the at-rest encryption guarantees are weaker than HIPAA requires. Two acceptable patterns. First, encrypted email (Microsoft Purview, Virtru, Paubox) provides HIPAA-compliant transmission via signed Business Associate Agreement (BAA). Second, password-protected PDF (AES-256) via standard email with the password sent by a separate channel (SMS, phone) — the password protects the file even if the email itself is intercepted. Document your choice in the organisation's HIPAA policy.

Are free online PDF tools HIPAA-compliant?

Server-side tools (Smallpdf, iLovePDF, Adobe Acrobat online) require a Business Associate Agreement with the vendor to be HIPAA-compliant — without one, uploading PHI to them is a HIPAA violation regardless of how the file is processed. Some vendors offer BAA on paid enterprise tiers; free tiers generally do not. Client-side tools (ScoutMyTool, Apple Preview desktop, Adobe Acrobat Pro desktop) process the file locally — the file never transmits to a third-party server, so no BAA is required. For routine PHI workflows, default to client-side tools or vendor relationships with signed BAAs. Confirm BAA status before any new tool joins your workflow.

How do I redact PHI from a record before sharing with non-covered parties?

Use destructive redaction (not rectangle annotation). HIPAA Safe Harbor (45 CFR 164.514) lists 18 identifiers that must be removed for a record to be considered de-identified — name, address, dates more specific than year, phone, email, SSN, MRN, account numbers, photographs, biometric identifiers, full-face photographs, and others. Use ScoutMyTool Redact PDF or Acrobat Pro Redact to destructively remove each identifier. Verify after applying: attempt to select-copy the redacted region; should return the redaction colour, not original characters. For research or quality-improvement workflows requiring de-identified records, document the de-identification process so the file is defensibly de-identified.

What about audit logs — how do I track PDF access?

Pure local PDF storage (folders on a network share) typically has weak audit trails — OS file-open events are not always logged or retained. For HIPAA-grade audit, use a document management system (Microsoft SharePoint, Box, OneDrive Business with audit) that logs each open, download, share, and edit per file per user. Audit log retention should match HIPAA requirement (6 years minimum for most documentation). Audit-only-on-system-of-record is the pattern: store PHI PDFs only in audited systems; transient copies on local machines should be deleted after use.

How do I share a PDF medical record with a patient who has the legal right of access?

HIPAA Section 164.524 gives patients the right to access their PHI within 30 days. Standard patient-portal workflows handle this via the patient logging into the practice's portal and downloading their records. For practices without a patient portal, secure email (Paubox or similar with BAA) is acceptable; standard email with a password-protected PDF and password sent by SMS is a practical workaround for occasional needs. Either way, document the access request and the response in the patient's record per HIPAA documentation requirements.

6 min read

PDF for medical records — HIPAA basics and best tools

By ScoutMyTool Editorial Team · Last updated: 2026-05-20

Medical record PDFs sit at the intersection of two demanding worlds: HIPAA requires specific technical controls on PHI; practical office workflows want simple, fast tools. The mismatch is what produces routine HIPAA violations — staff send unencrypted patient records through standard email, upload PHI to free online PDF tools, store records in non-audited folders. This article maps the HIPAA controls that apply to PDF workflows, the tools that satisfy each, and the patterns that work for small practices without requiring an enterprise EHR investment.

This article is general information, not legal advice. Consult a qualified HIPAA compliance professional for your specific situation.

HIPAA controls → PDF implications

HIPAA requirement	PDF implication	Practical control
Access control (164.312(a))	Limit who can open PDFs containing PHI	AES-256 password protection + access-controlled storage
Encryption in transit / at rest	PHI in PDFs must be encrypted when stored or sent	Encrypted file storage; password-protected PDFs for transmission
Audit controls (164.312(b))	Track who accessed PHI and when	Document-management system with access logs; avoid email-only distribution
Integrity (164.312(c))	Prevent unauthorised modification of PHI	Digital signatures; flatten PDFs; restrict editing via owner password
Person authentication (164.312(d))	Confirm recipient is authorised before access	MFA on the storage system; out-of-band password sharing
Transmission security (164.312(e))	PHI in transit must be encrypted	TLS / secure file transfer; no plain-email attachments with PHI

Step by step — share a medical record securely

Verify the recipient's authorisation to receive the record. Patient release form, business associate, or court order — document.
Redact unnecessary PHI from the share copy. Other patients' info, billing details not relevant to the share — destructively redact.
Encrypt the PDF with AES-256 password. Use Protect PDF (client-side) or local desktop tool.
Send via HIPAA-compliant channel. Patient portal, secure email with BAA, or password-protected PDF with password sent separately by SMS.
Log the disclosure per HIPAA accounting requirements. Document recipient, date, files, channel, lawful basis. Retain log for at least 6 years.

Common HIPAA-PDF mistakes

Four recurring violations seen in small-practice audits. First, sending PHI as email attachments without password protection or secure-email service — convenient but a clear breach. Second, using free online PDF tools without BAAs — uploads PHI to vendor servers. Third, rectangle redactions that leak underlying text — assume destructive redaction unless verified otherwise. Fourth, retaining PHI PDFs longer than necessary — HIPAA minimum-necessary principle requires retention only as long as needed for the documented purpose. All four are preventable with policy + tool choice; the audit is what surfaces them in practice. A quarterly audit catching one violation pattern and fixing it across the practice produces meaningful compliance improvement without ever requiring a full incident-response exercise.

For practices without dedicated compliance staff, a written PDF-handling policy (one to two pages) covering these four risks is the foundational document. Update annually, train staff at hire and quarterly, audit a sample of outbound PDFs quarterly to catch process drift. The discipline scales to small practices without enterprise tooling and is what regulators expect to see during routine compliance reviews.

Business Associate Agreements for PDF tools

HIPAA requires a Business Associate Agreement (BAA) with any third party that handles PHI on the covered entity's behalf. For PDF workflows, this typically means: the email platform (Gmail Workspace, Microsoft 365 with Healthcare add-on), the storage platform (Dropbox Business, Box, Google Workspace Healthcare), and any PDF tool the file passes through. Free or personal-tier services generally do not offer BAAs; the business and enterprise tiers of major vendors do. Confirm BAA status in writing before using a service for PHI; verbal assurances are not sufficient under audit. Maintain a BAA inventory listing each vendor, BAA date, contact, and renewal schedule.

FAQ

Can I email a PDF containing patient health information to a colleague?: Only if the email channel is HIPAA-compliant or the PDF is encrypted with a password shared out-of-band. Standard email (Gmail, Outlook personal) is generally not HIPAA-compliant — it transmits in TLS but vendor systems handle the bytes, and the at-rest encryption guarantees are weaker than HIPAA requires. Two acceptable patterns. First, encrypted email (Microsoft Purview, Virtru, Paubox) provides HIPAA-compliant transmission via signed Business Associate Agreement (BAA). Second, password-protected PDF (AES-256) via standard email with the password sent by a separate channel (SMS, phone) — the password protects the file even if the email itself is intercepted. Document your choice in the organisation's HIPAA policy.
Are free online PDF tools HIPAA-compliant?: Server-side tools (Smallpdf, iLovePDF, Adobe Acrobat online) require a Business Associate Agreement with the vendor to be HIPAA-compliant — without one, uploading PHI to them is a HIPAA violation regardless of how the file is processed. Some vendors offer BAA on paid enterprise tiers; free tiers generally do not. Client-side tools (ScoutMyTool, Apple Preview desktop, Adobe Acrobat Pro desktop) process the file locally — the file never transmits to a third-party server, so no BAA is required. For routine PHI workflows, default to client-side tools or vendor relationships with signed BAAs. Confirm BAA status before any new tool joins your workflow.
How do I redact PHI from a record before sharing with non-covered parties?: Use destructive redaction (not rectangle annotation). HIPAA Safe Harbor (45 CFR 164.514) lists 18 identifiers that must be removed for a record to be considered de-identified — name, address, dates more specific than year, phone, email, SSN, MRN, account numbers, photographs, biometric identifiers, full-face photographs, and others. Use ScoutMyTool Redact PDF or Acrobat Pro Redact to destructively remove each identifier. Verify after applying: attempt to select-copy the redacted region; should return the redaction colour, not original characters. For research or quality-improvement workflows requiring de-identified records, document the de-identification process so the file is defensibly de-identified.
What about audit logs — how do I track PDF access?: Pure local PDF storage (folders on a network share) typically has weak audit trails — OS file-open events are not always logged or retained. For HIPAA-grade audit, use a document management system (Microsoft SharePoint, Box, OneDrive Business with audit) that logs each open, download, share, and edit per file per user. Audit log retention should match HIPAA requirement (6 years minimum for most documentation). Audit-only-on-system-of-record is the pattern: store PHI PDFs only in audited systems; transient copies on local machines should be deleted after use.
How do I share a PDF medical record with a patient who has the legal right of access?: HIPAA Section 164.524 gives patients the right to access their PHI within 30 days. Standard patient-portal workflows handle this via the patient logging into the practice's portal and downloading their records. For practices without a patient portal, secure email (Paubox or similar with BAA) is acceptable; standard email with a password-protected PDF and password sent by SMS is a practical workaround for occasional needs. Either way, document the access request and the response in the patient's record per HIPAA documentation requirements.

Citations

HIPAA Security Rule, 45 CFR § 164.310–164.318 — Technical safeguards.
HIPAA Privacy Rule, 45 CFR § 164.500–164.534 — Privacy of PHI.
HHS — HIPAA Safe Harbor identifiers list (45 CFR 164.514).
NIST Special Publication 800-66 — Implementing HIPAA Security Rule.
HHS — Business Associate Agreement requirements.

Client-side PDF tools for PHI handling

ScoutMyTool runs entirely in your browser tab — no upload of PHI. Redact, protect, merge medical records without involving a third-party server.

Open the PDF toolkit →