Understanding how HIPAA Impacts Text and Email Communication

Posted on Jan 30, 2018 by Lori Boyer

This is an excerpt from the guide, “Become a Text and Email Compliance Guru.” To read the full guide, you can download for free by clicking here.

Practices should ensure text and email HIPAA complianceIt can be a scary world of compliance out there. We need to keep things private and confidential and secure. We see stories in the news and media about data breaches on nearly a daily basis. It’s important that we have regulations in place to keep patient information confidential.

Fortunately, you can be compliant with email and text, communicate with patients, and build a thriving practice. You simply need to understand how to communicate and still stay within the boundaries of the law. (If you want to learn more about our texting solution that comes with a HIPAA-consent tool, you can click here).

Let’s dive into some of the most common regulations and how they apply to email and text.

HIPAA in a Nutshell

Enacted in 1996, HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA provides rules around uses and disclosures to keep protected health information (PHI) private. What is PHI?

The HIPAA Privacy Rule defines PHI as “individually identifiable information transmitted or maintained in any form or medium by a covered entity or a business associate.” Wow. That’s a mouthful. 

 HIPAA regulates:

  • How and when to disclose PHI
  • Ways you have to protect PHI
  • Patient rights to access their own information

Receiving and Communicating PHI via Text Message or Email

Let’s say a patient texts or emails you a question (or a picture) about a health issue they are facing. Now what?

Patients are allowed to send you any PHI that they want. That is their information and they have the right to do with it as they please.Practices need patient consent to discuss PHI

Things are not quite so easy for the practice. If you would like to enter into a conversation about a patient’s health, you need to make sure you are covered. You are not allowed to forward that information or continue an electronic conversation about PHI in an unsecured way.

The best thing to do in a situation like this is to reply with a message requesting the patient’s consent to discuss their PHI.

EXAMPLE:

“Hi John. It looks like you’d like to discuss your health in a little more detail. Email (or text) is not a secure way to do that. Do you still want to carry on a conversation?”

Once the patient gives you permission, you are then allowed to continue the conversation without concern of violation.

HIPAA requires you to make patients aware of the risk of communicating their PHI via an unsecured channel and to obtain their consent prior to doing so.

If the patient is not comfortable discussing their PHI over text or email, you should move the conversation to a secure method such as a phone call, secure patient portal, or in-office visit.

Remember—your obligation is to make patients aware of unsecured communication and to receive authorization before discussing PHI on an unsecured channel.

To learn more about HIPAA (including an explanation and examples of the healthcare message exemption), the TCPA, CAN-SPAM, CASL, and more read the full guide here: Read It Now

(You can also check out our webinar dedicated to text and email compliance here).

Disclaimer: The information conveyed in this blog post is for informational purposes only. It is not to be considered legal advice. If you require legal advice, you are encouraged to seek the counsel of a licensed attorney.

Lori Boyer

Lori Boyer

Lori Boyer has spent over a decade developing content and customer strategy for a wide variety of companies. She especially loves "walking a mile" in the shoes of her target audience. At Solutionreach we focus on relationships - building and maintaining them. She does the same. Lori Boyer is a lover of crisp fall mornings, a good book, and just about anything Beauty and the Beast related.

Subscribe to Email Updates