The Facts about HIPAA and Email/SMS Communication with Patients
Updated on October 21, 2021.
The Facts about HIPAA and Email/SMS Communication with Patients
Why secure patient-provider communication is required
Patients require open communication with their healthcare providers before and after their appointments, and with the rise of telehealth, SMS/email communication is even more prevalent. Nearly half[¹]of all people across demographics use a mobile application for checking their email. The problem, however, is that SMS and email are not, by nature, Health Insurance Portability and Accountability Act (HIPAA) compliant. It’s inconceivable that in the modern healthcare market, healthcare providers would not be allowed to use SMS or email for patient communication productively. HIPAA law is a gray area; therefore, it’s important to explore all of the ins and outs of the shortcoming of SMS and email and how it can safely be used.
The shortcomings of SMS and email
The primary text messaging (SMS) functionality available on all mobile phones and email communication is not “technically” HIPAA compliant. This is due to the fact that 1) SMS/email lacks access controls as a patient does not need to enter a password before they read a text message or email, or at least the healthcare provider can’t ensure this. 2) SMS/email lacks audit controls, which are necessary to record when Protected Health Information (PHI) is created, modified, accessed, shared, or deleted. And 3) SMS/email lacks the necessary encryption standards as standard SMS/email functionality does not prevent the interception of text messages or the extraction of text messages from the mobile carrier and/or email provider’s servers.
What are SMS and email messaging most commonly used for?
- Telemedicine / video visit invitations
- Automated patient appointment reminders and confirmations
- Patient payment requests
- Patient financial statement notifications
- Personalized patient education
- Patient forms and pre-visit intake notifications
- New visit summary notifications
- New patient-provider message notifications
- Patient care-gap and recall reminders
What does HIPAA say?
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to HIPAA compliant secure messaging. HIPAA states that the Privacy Rule “allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.”[²] Providers must ensure that messages are saved, searchable and encrypted so that records are always accessible while maintaining their security from third parties.
- HIPAA Standard 164.312(d) – Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
- HIPAA Standard 164.306(b) – Implement reasonable and appropriate security measures.
How to be HIPAA compliant?
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
|HIPAA Standard||Practical Advice|
|HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to electronic Protected Health Information (ePHI) are who they claim to be.||Double-check and triple-check to be sure that the email address or phone number is correct before sending. If automated messages are being sent, implement procedures for verifying contact information, ideally through an electronic opt-in or communications consent form.|
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.||Do not use the patient’s name, initials, or medical record number in the subject line of an email, and even avoid using any of the below-mentioned identifiers in the body of the email or SMS. Ensure that your opt-in and/or communications consent form mentions the identifiers that you’ll likely use in your email and SMS communication so that the patient has opted-in to receive communication with such identifiers.
Patient identifiers include:
2. All geographical subdivisions smaller than a state (The initial three digits of a zip code may be acceptable)
3. Dates, except for year
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voiceprints
17. Full face photographic images
18. Any other unique identifying number
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)||Limit the amount of personal health record information you include in electronic communication that is likely to cause complaints. Don’t include any highly sensitive information, defined as:
Mental Illness or Developmental Disability
HIV/AIDS Testing or Treatment
Substance (i.e., alcohol or drug) Abuse
Abuse of an Adult with a Disability
Child Abuse and Neglect
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Patient identifiers to avoid when communicating with patients via email and SMS.
Patients ideally need to authenticate who they are before gaining access to PHI. So if you’re going to send PHI, it’s best to send a secure message via a patient portal or a secure HIPAA compliant email messaging service (where a login is required). Encourage patients to protect their devices with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns and force password changes every six months.
It’s always best practice to use the bare minimum patient identifiers and other sensitive content in all messages you send to a patient. Seek documented patient consent before contacting patients by HIPAA compliant email messaging or SMS, and inform them of any privacy issues, and keep a record of this acceptance. This is commonly referred to as an “opt-in agreement.” Include a disclaimer regarding patient privacy in all communication, or when sending an SMS (where limited characters are available), and be sure patients have already opted-in to receive HIPAA compliant SMS messaging.
Sample Disclaimer: The information in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by replying to this email and destroy all copies of the original message.
Allow alternative options for communication upon patient request. Make these options visible in the email or SMS text message body. Give the patient the option to unsubscribe from email and/or SMS communication and respect any opt-out requests. If you have multiple patient engagement solutions that are sending out SMS and email communication to patients, you may need to manually update each system to reflect the patient’s updated communication preferences.
How to send HIPAA compliant email messaging
Any covered entity should be communicating ePHI using encryption technology. A covered entity can encrypt its end of the email transport, but it’s impossible to ensure the email’s security once it leaves the organization’s email server. To encrypt email communication completely, the patient would need to use a HIPAA compliant email messaging service or secure patient messaging software that supports HIPAA-level encryption. Therefore, it is recommended to send messages to patients that are retrieved in a patient portal or other password-protected secure messaging service.
How to send HIPAA compliant SMS messaging
Covered entities can implement mobile applications to send HIPAA compliant SMS messaging, which aren’t exactly SMS-based messages. Still, it achieves the objective of sending a message to a mobile device. A HIPAA compliant messaging app provides a private cloud, secure encrypted network with access controls and audit controls to satisfy the HIPAA requirements. Convenient control panels allow covered entities to offer role-based authorization and apply messaging policies. HIPAA compliant SMS messaging solutions don’t typically store messages on the device, so there’s a limited risk of unauthorized access. Apps installed on mobile devices require passwords to gain access, often access for both the device and the app, which means extra security.
That being said, most healthcare providers send SMS messages to patients with limited PHI in them. SMS is considered a low-medium risk, in comparison to email, so it’s unlikely a healthcare provider would experience any problems by relying on SMS messaging as their primary communication method, so long as the right precautions are in place (which we mention in the sections above). SMS is extremely effective and the preferred communication method for patients, so it makes sense to develop a HIPAA-compliant policy for sending SMS messages.
In order to meet HIPAA standards, it’s critical that patients opt-in to SMS services (or other messaging mediums). Without consent, messaging could become a HIPAA violation. Simply asking patients during in-person visits if they would like to receive SMS updates is a straightforward option, but also adding online SMS chats to your website can be effective as well. Allowing patients to take the initiative and message their providers directly increases the likelihood of them booking an appointment[³]and therefore increases returns. However, providers should still be cautious in making sure their messages are going to the right person. Requesting basic patient credentials such as their date of birth can be used to prove their identity but it’s also important to ask customers to keep their information up to date.
SMS as Patient Retention
A 5% increase in patient retention can increase revenue by 25%-95%[³]so it’s in the provider’s best interest to build loyalty. SMS enables patient engagement outside of in-person visits and appointments: text messages tend to be opened at a rate of 99% compared to 5% of calls or 15% of emails[³]. Sending out updates, infographics, or tips through messaging can go a long way – given the patient consents to such services of course. This respect for patient communication preference builds trust, leading to better retention, and potentially more referrals.
Use Bridge as your HIPAA compliant patient messaging solution
57%[⁴]of patients prefer to communicate with healthcare organizations through mobile apps. Bridge assists healthcare organizations in securely engaging with patients via a HIPAA compliant messaging mobile application. This software allows providers to message patients securely while respecting communication preferences, including SMS text, email, or mobile push notification while maintaining HIPAA compliance. Bridge’s solution enables medical practices to securely send PHI-sensitive message patients to their inbox in the patient portal app and receive a HIPAA compliant notification via email, SMS, or phone push notification. As a 2015 ONC certified patient portal, Bridge offers completely secure HIPAA compliant messaging. Furthermore, all of this is accessible via a client-branded iOS and Android mobile app.
- Campaign Monitor (2019) Email Trends Report: Mobile vs. Desktop [online] Campaign Monitor. Available at: https://www.campaignmonitor.com/resources/guides/email-marketing-trends/
- Office for Civil Rights (2013). Does HIPAA permit health care providers to use e-mail to discuss with their patients. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html
- AYRE, J. (2021).Follow these 5 steps to Ensure HIPAA-compliance when texting patients. [online] MedCityNews. Available at: https://medcitynews.com/2021/08/follow-these-5-steps-to-ensure-hipaa-compliance-when-texting-patients/
- SOTI.net. (2019). U.S. Consumer Survey: Physicians Using Mobile Apps Seen as a Major Differentiator Amongst U.S. Patients. [online] SOTI.net. Available at: https://soti.net/resources/newsroom/2019/us-consumer-survey-physicians-using-mobile-apps-seen-as-a-major-differentiator-amongst-us-patients/