The Facts about HIPAA and Email/SMS Communication with Patients
As more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.
On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
The Encryption Issue: Do I need to send encrypted emails to my patients?
Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).
The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.
While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use an email service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.
Applying HIPAA to your email protocol
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
|EHR-Bundled Patient Portals||Bridge Patient Portal|
|Struggle with managing multiple EHR/RCM products and delivering adequate support on these products.||Vendors such as Allscripts have accumulated multiple products over the years through acquisition of vendors, including Eclipsys and Misys. The FollowMyHealth® patient portal was one of these products, acquired from Jardogs. Bridge is solely focused on the patient engagement space, making it easier to provide high quality support and ongoing maintenance/enhancements.|
|Lack of control over the information sent to the patient portal, including sensitive lab results, incomplete progress notes, or age restricted information.||Bridge has a robust API and proprietary CCDA parser that allows providers to completely control the information that patients can see in the portal.|
|Allscripts is predominantly used in outpatient environments. When it is used in an integrated delivery network (IDN) environment with inpatient facilities, it’s typically not the only EHR and the health organization is challenged with providing a single patient portal solution for all of its customers.||In multi-health system environments, Allscripts is a system that is frequently used with other systems. Bridge offers an vendor neutral patient portal with the ability to serve data from multiple, disparate sources (including multiple EHR or RCM solutions).|
|No mobile app or app is branded to EHR company (ie. Epic MyChart® or FollowMyHealth®).||Bridge has developed a unparalleled mobile app that is branded to the client and made available in the Apple Store and Google Play store under the client’s name and brand at Universe.|
|Patient’s are unable to register for the patient portal without the assistance of office staff.||Bridge supports patient self-registration by requiring patients to answer challenge questions or using a PIN number provided to them by the practice.|
|Intake forms don’t populate in the EHR.||EHRs generally have a hard time receiving patient entered health history data. Bridge is able to deposit intake form information into discrete data fields in the EHR, so long as the EHR supports this functionality.|
Additional Best Practices
- Include a disclaimer regarding patient privacy in all communication.
Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
- Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
- Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
- Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.
The most important thing to know in applying HIPAA law
In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS) to enhance the patient experience.
To learn more about HIPAA and healthcare application please see our three-part article series:
- HIPAA and Healthcare Applications, Part 1 of 3: What You Need to Know About User Authentication
- HIPAA and Healthcare Applications, Part 2 of 3: What You Need to Know About Auditing
- HIPAA and Healthcare Applications, Part 3 of 3: What You Need to Know About Data Transfer
This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS).