The Facts about HIPAA and Email/SMS Communication with Patients
- John Deutsch
- June 26, 2017
Updated on January 18, 2021.
Why secure patient-provider communication is required
Patients require open communication with their healthcare providers before and after their appointments, and with the rise of telehealth, SMS/email communication is even more prevalent. It has been found that patients are moving away from live telephone calls and prefer to communicate via digital communication such as text messaging[¹] and email, which are some of the most frequently used cell phone functionality. The problem, however, is that SMS and email are not, by nature, HIPAA compliant. It’s inconceivable that in the modern healthcare market, healthcare providers would not be allowed to use SMS or email for patient communication productively. HIPAA law is a gray area; therefore, it’s important to explore all of the ins and outs of the shortcoming of SMS and email and how it can safely be used.
The shortcomings of SMS and email
The primary text messaging (SMS) functionality available on all mobile phones and email communication is not “technically” HIPAA compliant. This is due to the fact that 1) SMS/email lacks access controls as a patient does not need to enter a password before they read a text message or email, or at least the healthcare provider can’t ensure this. 2) SMS/email lacks audit controls, which are necessary to record when Protected Health Information (PHI) is created, modified, accessed, shared, or deleted. And 3) SMS/email lacks the necessary encryption standards as standard SMS/email functionality does not prevent the interception of text messages or the extraction of text messages from the mobile carrier and/or email provider’s servers.
What are SMS and email messaging most commonly used for?
- Telemedicine / video visit invitations
- Automated patient appointment reminders and confirmations
- Patient payment requests
- Patient financial statement notifications
- Personalized patient education
- Patient forms and pre-visit intake notifications
- New visit summary notifications
- New patient-provider message notifications
- Patient care-gap and recall reminders
What does HIPAA say?
HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to HIPAA compliant secure messaging. HIPAA states that the Privacy Rule “allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.”
- HIPAA Standard 164.312(d) – Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
- HIPAA Standard 164.306(b) – Implement reasonable and appropriate security measures.
How to be HIPAA compliant?
Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:
|HIPAA Standard||Practical Advice|
|HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to electronic Protected Health Information (ePHI) are who they claim to be.||Double-check and triple-check to be positively sure that the email address or phone number is correct before sending. If automated messages are being sent, implement procedures for verifying contact information, ideally through an electronic opt-in or communications consent form.|
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.||Do not use the patient’s name, initials, or medical record number in the subject line of an email, and even avoid using any of the below mentioned identifiers in the body of the email or SMS. Ensure that your opt-in and/or communications consent form mentions the identifiers that you’ll likely use in your email and SMS communication so that the patient has opted-in to receive communication with such identifiers.|
Patient identifiers include:
2. All geographical subdivisions smaller than a state (The initial three digits of a zip code may be acceptable)
3. Dates, except for year
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images
18. Any other unique identifying number
|HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)||Limit the amount of personal health record information you include in electronic communication that is likely to cause complaints. Don’t include any highly sensitive information, defined as:|
Mental Illness or Developmental Disability
HIV/AIDS Testing or Treatment
Substance (i.e., alcohol or drug) Abuse
Abuse of an Adult with a Disability
Child Abuse and Neglect
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Patient identifiers to avoid when communicating with patients via email and SMS.
Patients “ideally” need to authenticate who they are before gaining access to PHI. So if you’re going to send PHI, it’s best to send a secure message via a patient portal or a secure HIPAA compliant email messaging service (where a login is required). Encourage patients to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns and force password changes every six months.
It’s always best practice to use the bare minimum patient identifiers and other sensitive content in all messages you send to a patient. Seek documented patient consent before contacting patients by HIPAA compliant email messaging or SMS, and inform them of any privacy issues, and keep a record of this acceptance. This is commonly referred to as an “opt-in agreement.” Include a disclaimer regarding patient privacy in all communication, or when sending an SMS (where limited characters are available), be sure patients have already opted-in to receive HIPAA compliant text messages.
Sample Disclaimer: The information in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Allow alternative options for communication upon patient request. Make these options visible in the email or SMS text message body. Give the patient the option to unsubscribe from email and/or SMS communication and respect any opt-out requests. If you have multiple patient engagement solutions that are sending out SMS and email communication to patients, you may need to manually update each system to reflect the patient’s updated communication preferences.
How to send HIPAA compliant email messaging
Any covered entity should be communicating ePHI using encryption technology. A covered entity can encrypt its end of the email transport, but it’s impossible to ensure the email’s security once it leaves the organization’s email server. To encrypt email communication completely, the patient would need to use a HIPAA compliant email messaging service or secure patient messaging software that supports HIPAA-level encryption. Therefore, it is recommended to send messages to patients that are retrieved in a patient portal or other password-protected secure messaging service.
How to send HIPAA compliant text messages
Covered entities can implement mobile applications to send HIPAA compliant text messages, which aren’t exactly SMS-based messages. Still, it achieves the objective of sending a message to a mobile device. A HIPAA compliant messaging app provides a private cloud, secure encrypted network with access controls and audit controls to satisfy the HIPAA requirements. Convenient control panels allow covered entities to offer role-based authorization and apply messaging policies. HIPAA text messaging solutions don’t typically store messages on the device, so there’s a limited risk of unauthorized access. Apps installed on mobile devices require passwords to gain access, often access for both the device and the app, which means extra security.
That being said, most healthcare providers send SMS messages to patients with limited PHI in them. SMS is considered a low-medium risk, in comparison to email, so it’s unlikely a healthcare provider would experience any problems by relying on SMS messaging as their primary communication method, so long as the right precautions are in place (which we mention in the sections above). SMS is extremely effective and the preferred communication method for patients, so it makes sense to develop a HIPAA-compliant policy for sending SMS messages.
Use Bridge as your HIPAA compliant patient messaging solution
57%[²]of patients prefer to communicate with healthcare organizations through mobile apps. Bridge Patient Portal assists healthcare organizations in securely engaging with patients via a HIPAA compliant messaging mobile application. This software allows providers to message patients securely while respecting communication preferences, including SMS text, email, or mobile push notification while maintaining HIPAA compliance. Bridge’s solution enables medical practices to securely send PHI-sensitive message patients to their inbox in the patient portal app and receive a HIPAA compliant notification via email, SMS, or phone push notification. As a 2015 ONC certified patient portal, Bridge offers completely secure HIPAA compliant messaging. Furthermore, all of this is accessible via a client-branded iOS and Android mobile app.
- NW, 1615 L. St, Suite 800Washington and Inquiries, D. 20036USA202-419-4300 | M.-857-8562 | F.-419-4372 | M. (2015). A “Week in the Life” Analysis of Smartphone Users. [online] Pew Research Center: Internet, Science & Tech. Available at: https://www.pewresearch.org/internet/2015/04/01/chapter-three-a-week-in-the-life-analysis-of-smartphone-users/ [Accessed 21 Dec. 2020].
- SOTI.net. (n.d.). U.S. Consumer Survey: Physicians Using Mobile Apps Seen as a Major Differentiator Amongst U.S. Patients. [online] Available at: https://soti.net/resources/newsroom/2019/us-consumer-survey-physicians-using-mobile-apps-seen-as-a-major-differentiator-amongst-us-patients/ [Accessed 14 Jan. 2021].