The Facts about HIPAA and Email/SMS Communication with Patients
As more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.
On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
The Encryption Issue: Do I need to send encrypted emails to my patients?
Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).
The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.
While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use an email service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.
The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.
Applying HIPAA to your email protocol
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
|HIPAA Standard||Practical Advice|
|HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.||Double-check and triple-check to be positively sure that the email address or phone number is correct before sending.
Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.||Do not use the patient’s name, initials, or medical record number in the subject line of an email.
Also, do not use direct patient identifiers in the message content. This includes:
2. All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates. Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)||Limit the amount of personal health record information you include in electronic communication. Don’t include any highly sensitive information, defined as:
1. Mental Illness or Developmental Disability
2. HIV/AIDS Testing or Treatment
3. Communicable Diseases
4. Venereal Disease(s)
5. Substance (i.e., alcohol or drug) Abuse
6. Abuse of an Adult with a Disability
7. Sexual Assault
8. Child Abuse and Neglect
9. Genetic Testing
10. Artificial Insemination
11. Domestic Violence
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Additional Best Practices
- Include a disclaimer regarding patient privacy in all communication.
Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
- Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
- Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
- Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.
The most important thing to know in applying HIPAA law
In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS) to enhance the patient experience.
To learn more about HIPAA and healthcare application please see our three-part article series:
- HIPAA and Healthcare Applications, Part 1 of 3: What You Need to Know About User Authentication
- HIPAA and Healthcare Applications, Part 2 of 3: What You Need to Know About Auditing
- HIPAA and Healthcare Applications, Part 3 of 3: What You Need to Know About Data Transfer
This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS).