This is an excerpt from the guide, “Become a Text and Email Compliance Guru.” To read the full guide, you can download for free by clicking here.
It can be a scary world of compliance out there. We need to keep things private and confidential and secure. We see stories in the news and media about data breaches on nearly a daily basis. It’s important that we have regulations in place to keep patient information confidential.
Fortunately, you can be compliant with email and text, communicate with patients, and build a thriving practice. You simply need to understand how to communicate and still stay within the boundaries of the law. (If you want to learn more about our texting solution that comes with a HIPAA-consent tool, you can click here).
Let’s dive into some of the most common regulations and how they apply to email and text.
HIPAA in a Nutshell
Enacted in 1996, HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA provides rules around uses and disclosures to keep protected health information (PHI) private. What is PHI?
The HIPAA Privacy Rule defines PHI as “individually identifiable information transmitted or maintained in any form or medium by a covered entity or a business associate.” Wow. That’s a mouthful.
- How and when to disclose PHI
- Ways you have to protect PHI
- Patient rights to access their own information
Receiving and Communicating PHI via Text Message or Email
Let’s say a patient texts or emails you a question (or a picture) about a health issue they are facing. Now what?
Patients are allowed to send you any PHI that they want. That is their information and they have the right to do with it as they please.
Things are not quite so easy for the practice. If you would like to enter into a conversation about a patient’s health, you need to make sure you are covered. You are not allowed to forward that information or continue an electronic conversation about PHI in an unsecured way.
The best thing to do in a situation like this is to reply with a message requesting the patient’s consent to discuss their PHI.
“Hi John. It looks like you’d like to discuss your health in a little more detail. Email (or text) is not a secure way to do that. Do you still want to carry on a conversation?”
Once the patient gives you permission, you are then allowed to continue the conversation without concern of violation.
HIPAA requires you to make patients aware of the risk of communicating their PHI via an unsecured channel and to obtain their consent prior to doing so.
If the patient is not comfortable discussing their PHI over text or email, you should move the conversation to a secure method such as a phone call, secure patient portal, or in-office visit.
Remember—your obligation is to make patients aware of unsecured communication and to receive authorization before discussing PHI on an unsecured channel.
(You can also check out our webinar dedicated to text and email compliance here).
Disclaimer: The information conveyed in this blog post is for informational purposes only. It is not to be considered legal advice. If you require legal advice, you are encouraged to seek the counsel of a licensed attorney.