The world we live in necessitates information be communicated in a quick and easy manner. This remains true in the healthcare setting. The ability to text or email staff and patients has become a priority for many healthcare entities. However, maintaining patient privacy and confidentiality is essential to ensure we meet compliance standards. Although emailing and texting are convenient, these communication methods have inherent pitfalls. Implementing email and text solutions in the healthcare setting is a complex issue and several factors must be addressed.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates implement certain safeguards when emailing or texting electronic protected health information (ePHI) to patients or others. Enacted in 1996, HIPAA has rules regarding the use and disclosure of protected health information (PHI) to ensure it remains private. The HIPAA Privacy Rule defines PHI as individually identifiable information transmitted or maintained in any form or medium whether electronic, on paper or oral by a covered entity or a business associate. HIPAA regulates:
- How and when to disclose PHI;
- Ways providers and health plans must protect PHI; and
- Patient rights to access their own information.
The HIPAA Privacy Rule not only allows, but requires covered entities to communicate with patients via email or text if requested by the patient (see 45 CFR 164.522[b]). Patients are allowed to send providers and their practices any PHI they would like via email or text. The information is the patient’s, and they have the right to do with it and request information as they please. However, the Privacy Rule requires covered entities implement appropriate safeguards when emailing or texting ePHI to patients.
The U.S. Department of Education’s Office for Civil Rights (OCR) explains:
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 CFR 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.1
The Privacy Rule requires covered entities and their business associates to “implement technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic communications network” (45 CFR 164.312[e]). Encryption is an addressable implementation standard, meaning the covered entity or business associate must encrypt the ePHI if it determines doing so is “reasonable and appropriate.” If not, the covered entity or business associate must 1) document why it would not be reasonable and appropriate to encrypt the data, and 2) implement an equivalent alternative measure if reasonable and appropriate.
Receiving & Communicating PHI via Text Message or Email
When it comes to emails and texts, the rules differ for covered entities or business associates to patients from those from the patient. Remember, the Security Rule does not apply to the patient. A patient may send their health information by whatever means they choose. That health information becomes protected by the HIPAA rules once the covered entity or their business associate receives it. To communicate ePHI with patients via email or text, the covered entity or business associate must make sure the transmission is secure or caution the patient before moving forward.
For example, a patient texts or emails the provider a question (or a picture) about a health issue they are facing. Because the security rule does not apply to them, this is acceptable. Responding to the patient is not quite that easy for the practice. If the provider would like to enter into a conversation about the patient’s health concern, they must comply with the security rule going forward. The provider is not allowed to forward any of the information or continue an electronic conversation about PHI via an unsecured method.
If the provider feels the patient may not be aware of the risks of using unencrypted email or text or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue with electronic communications.
Hi John. It looks like you’d like to discuss your health in a little more detail. Email (or text) is not a secure way to do that. Do you still want to carry on a conversation?
Once the patient gives permission, the provider can continue the conversation without concern of violation. HIPAA requires providers make patients aware of the risk of communicating their PHI via an unsecured channel and to obtain their consent prior to doing so. If the patient is not comfortable discussing their PHI over text or email due to security risks, then the conversation should be moved to a secure method, such as a phone call, a secure patient portal or an in-office visit.
Remember, a covered entity’s obligation is to make patients aware of unsecured communications and to receive authorization before discussing PHI on an unsecured channel.
Can you use texting to communicate health information, even if it is to another provider or professional?
It depends; text messages are generally not secure due to lack of encryption, and there is no certainty the message is received by the intended recipient. Wireless carriers tend to store text messages.
The best safeguard is for covered entities to implement a third-party solution that incorporates measures to establish a secure communication platform that allows texting on approved mobile devices. There is no message accountability with short message service (SMS) or instant messaging (IM); anyone can pick up someone’s mobile device and use it to send a message—or edit a received message before forwarding it on.
For these reasons (and many more), communicating PHI by standard, unencrypted, unmonitored and uncontrolled SMS or IM is texting in violation of HIPAA.
Covered entities are not expected to educate patients on encryption technology and information security. Rather, they must notify patients of the risk that information in a text or email could be read by a third party. If they’re notified of the risks and still prefer unencrypted email, the individual has the right to receive PHI in that way, and covered entities are not responsible for unauthorized access of PHI while in transmission based on the patient’s request.
The Cost for HIPAA Violation
With an estimated 80% of medical professionals now using personal mobile devices, a considerable risk exists that PHI may be accessed by unauthorized personnel. Most messaging apps on mobile devices have no login or logout requirements, and if a mobile device is lost or stolen, messages containing PHI could be released into the public domain.
Rheumatologists must implement safeguards against any HIPAA violation. The fines for a breach can be considerable. The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. Fines for HIPAA violations can range from $100 per day or per record to $50,000 per day or per record, with a maximum penalty of $1.5 million per year for each violation.
Healthcare organizations that turn a blind eye to texting in violation of HIPAA can also face civil charges from the patients whose data have been exposed if the breach results in identity theft or other fraud.
For questions or training on HIPAA (including an explanation and examples of the healthcare message exemption), contact the ACR Practice Management Department at firstname.lastname@example.org.
- OCR FAQ. Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients? Office for Civil Rights Headquarters, U.S. Department of Health & Human Services. 2008 Dec 15.