The Facts about HIPAA and Email/SMS Communication with Patients

4.27 / 5 (11 votes)

Email Browser MessageAs more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.

HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.

On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”

As patient engagement strategists, Bridge Patient Portal fully supports electronic communication to improve patient care, assuming the right precautions are taken.

The Encryption Issue: Do I need to send encrypted emails to my patients?

Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).

The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.

While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use an email service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.

The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.

Applying HIPAA to your email protocol

Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:

HIPAA StandardPractical Advice
HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.Double-check and triple-check to be positively sure that the email address or phone number is correct before sending.

Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.Do not use the patient’s name, initials, or medical record number in the subject line of an email.

Also, do not use direct patient identifiers in the message content. This includes:

1. Names
2. All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates. Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)Limit the amount of personal health record information you include in electronic communication. Don’t include any highly sensitive information, defined as:

1. Mental Illness or Developmental Disability
2. HIV/AIDS Testing or Treatment
3. Communicable Diseases
4. Venereal Disease(s)
5. Substance (i.e., alcohol or drug) Abuse
6. Abuse of an Adult with a Disability
7. Sexual Assault
8. Child Abuse and Neglect
9. Genetic Testing
10. Artificial Insemination
11. Domestic Violence

Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.

Additional Best Practices

  • Include a disclaimer regarding patient privacy in all communication.

Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

  • Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
  • Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
  • Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.

The most important thing to know in applying HIPAA law

In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS) to enhance the patient experience.

1http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/deident.html

To learn more about HIPAA and healthcare application please see our three-part article series:

 

This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS).

(Visited 13,341 times, 5 visits today)

About 

Archer Lyle is Bridge Patient Portal's Chief Operations Officer. She specializes in patient engagement and electronic healthcare communications.

    Find more about me on:
  • linkedin
7 Comments

7 Comments

  • Zach P says:

    I’m a healthcare worker, and I had a quick clarifying question about the guidelines and rules described here:

    Regularly, I will send our New Patient forms out to patients by email in order to ease their ability to complete the forms prior to a first appointment. In this email, I never cite any patient information beyond their first name in order to personalize the message. Because the patient’s first name is in the email, do I have to encrypt this message just to send them a set of forms to complete prior to their appointment?

    • Blake Rodocker says:

      It is kind of a grey area, the form would imply the person is or will be a patient, plus including their name and email account (Personal identifiable information) would make it traceable to a specific person, and that is considered PHI. I would suggest to include a downloadable version of the forms to the website, and follow 45 CFR 164.520 (C) (3) (i) specific to Notice of Privacy Practice .

      Regulation:
      45 CFR 164.520 (C) (3) (i) Specific requirements for electronic notice.
      (i) A covered entity that maintains a web site that provides information about the covered entity’s customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site.

  • john says:

    I received a “postcard” notice (not enclosed in an envelope) about an upcoming procedure. On the bottom of the postcard HIGHLIGHTED IN YELLOW was the word “*Biopsy*. Is this a violation of HIPAA?

    • Blake Rodocker says:

      If the postcard had your name on it or another identifying feature that could connect your identity to said biopsy, then yes I believe it would be a breach.

      • john says:

        Thank you. It was sent to me through the U.S. Mail so it had my name and address on it! I filed a complaint with the Office for Civil Rights as stated on the HHS website. Should I do anything more?

  • Chase says:

    I am seeing a new doctor and they ask that I send My medical records through e-mail. I use gmail, and they use a hippa compliant e-mail service called paulbox. I believe when they receive my e-mail it will be encrypted, but since I am using gmail, will my side be secure/encrypted?

    • Blake Rodocker says:

      Hi Chase, Technically a personal gmail account isn’t HIPAA compliant. That being said, if you are willing to send the message in that format then the doctor receiving it to his email service is complaint under HIPAA law.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

Find us on social media