What Are the Rules When it Comes to Email and SMS Communication with Patients?

with No Comments

Your patients have grown increasingly comfortable with texting and they expect their healthcare providers to also use this medium. Email is another tool that increases our ability to openly communicate with patients in a way that is convenient, effective, and expected. But HIPAA places some constraints on how we leverage these electronic communications. This blog will help you understand the rules for email and SMS patient communications to keep your organization from running afoul of the rules.

HIPAA Rules for Email and Text

The bad news for healthcare organizations is that SMS communications and email are not necessarily HIPAA compliant. We were reminded again of this issue as our embrace of telemedicine became normalized over the past year and a half. It’s common for appointments to be confirmed digitally in the telemedicine space, but healthcare providers should realize that commercial telemedicine applications may not fall under HIPPA compliance, either.

Today, we see texting and email used for:

  • Invitations to telemedicine appointments.
  • Automated email patient reminders.
  • Patient payment request by email and text.
  • Notifications that a financial statement is ready to view.
  • Patient education that is personalized and confidential.
  • Patient intake forms are often sent by email today.
  • Summary notifications of new visits.
  • Recall reminders.
  • And more.

HIPAA is vague about compliance with these forms of digital communications. The issue is that HIPAA was created before many of these technologies became so embedded in our cultural norms. HIPAA, for obvious reasons, needs some updating to keep up with technology advancements.

What does HIPAA say? Under the Privacy Rule it “allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.” Two pieces of the law that may apply here:

  • HIPAA Standard 164.312(d) requires healthcare organizations to “implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.”
  • HIPAA Standard 164.306(b) requires implementing “reasonable and appropriate security measures.”

Generally, there are three big issues with these forms of digital communication:

  1. Email and texting typically lack the access controls necessary to comply with HIPAA. If a doctor texts their patient, that patient usually does not have to enter in a secure password.
  2. There are no audit controls in basic email and SMS which are necessary anytime Protected Health Information (PHI) is created.
  3. SMS and email communications may not be encrypted end-to-end as required by HIPAA. Encryption standards suggest that these messages have the tightest form of data security or risk the interception of these communications and expose PHI unnecessarily.

How can your organization remain compliant with HIPAA while communicating in these digital venues that your patients are so comfortable with? There are several things you can do:

  • Use a text or email vendor who is HIPAA compliant.
  • Establish workflows to double- and triple-check the phone number and email of your patients.
  • Create electronic opt-in texts and emails that require final verification from the patient that they agree to be contacted by SMS and email.
  • Do not use the patient’s medical record number or name in the subject line of the email.
  • Do not use patient’s social security number, address,
  • Do not include highly sensitive information in SMS or email. This includes HIV/AIDS or other testing results, mental illness details, genetic testing, sexual assault, and more.

UHC Solutions works hard to stay on top of the latest rules affecting your practice. If you need an experienced partner to help you meet your hiring goals, our team can help.