HIPAA and Email/SMS Communication With Patients

John Deutsch
April 02, 2023
- HIPAA

Updated on August 23, 2024.

Patients require open communication with their healthcare providers before and after their appointments, and using text messages (SMS) or email for this might seem logical. However, due to HIPAA, texting and emailing with patients must follow strict guidelines to guarantee the privacy and security of electronic patient information (ePHI). Otherwise, the healthcare organization could face severe legal consequences. Although SMS and email are not necessarily HIPAA-compliant on their own, there are ways to configure HIPAA-compliant texting and email and use them safely. Let’s break it down.

Are SMS And Email HIPAA Compliant?

Since the rise of telehealth, SMS/email communication has become increasingly prevalent. Research shows that most patients are moving away from telephone calls in favor of digital communication, such as text messaging and email, on their mobile devices¹.

Healthcare uses for text messages and email include:

Telemedicine/video visit invitations
Automated patient appointment reminders and confirmations
Patient payment requests and financial statement modifications
Personalized patient education
Patient forms and pre-visit intake notifications
New visit summary notifications
New patient-provider message notifications
Patient care gap and recall reminders

The problem is that while SMS and email are not, by nature, HIPAA-compliant, healthcare providers must be allowed to use them for patient communication to remain productive in the modern healthcare market. HIPAA law is a gray area; therefore, it’s important to explore the shortcomings of SMS and email and ways to make them safe and secure.

The majority of HIPAA regulations related to texting (SMS), instant messaging (IM), and email are outlined in the technical safeguards of the HIPAA Security Rule:

Each authorized user must have a unique login username and PIN for any system used to send and receive PHI (Patient Health Information), ensuring that all communications can be monitored and logged.
Any system used to transmit PHI must include an automatic logoff feature to prevent unauthorized access if a computer or mobile device is left unattended.
PHI must be encrypted during transmission so that, even if a message is intercepted on a public Wi-Fi network, the content and any attached PHI remain “unreadable, undecipherable, and unusable.”

https://youtu.be/hWjEifx4Wd4?si=4tncYpTb_2Hi1fqJ

According to these basic standards, the primary text messaging (SMS) functionality available on all mobile phones and email communication is not HIPAA-compliant. Reasons for this include:

SMS and email lack access controls; patients do not need to enter a password before reading a text message or email.
SMS and email lack audit controls, which are necessary when Protected Health Information (PHI) is created, modified, accessed, shared, or deleted.
SMS and email lack the necessary encryption standards; their functionality does not prevent the interception or extraction of text messages or emailed information from the mobile carrier or email servers.

Under HIPAA, texting and emailing can be difficult to secure to an acceptable standard. It requires monitoring all the online activity of users and ensuring that they log off when they are finished.

Encryption also presents difficulties. Any encryption solution used to securely transmit PHI among healthcare organizations, medical professionals, business associates, and other covered entities must be compatible across multiple operating systems and devices and have a standardized decryption key. Due to these complexities, an exemption was made for electronic communication of PHI between medical professionals and their patients.

New HIPAA Rules For Text Messaging And Email

HIPAA states that the Privacy Rule “allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.”

HIPAA Standards:

HIPAA Standard 164.312(d) – Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
HIPAA Standard 164.306(b) – Implement reasonable and appropriate security measures.

Due to its aforementioned security weaknesses, the Centers for Medicare and Medicaid Services (CMS) has traditionally disallowed text messaging in healthcare settings. However, the CMS recently updated its policy, now allowing healthcare providers at hospitals and critical access hospitals to text patient information and orders, provided a HIPAA-compliant secure messaging platform is used.

This change, effective from February 8, 2024, reflects advancements in encryption and text messaging technology, enabling direct integration with electronic health records². However, CMS still prefers that orders be entered via computerized systems or handwritten notes.

How To Be HIPAA Compliant

Sending patient information via email can be risky, so it’s important to take steps to avoid giving away PHI. Even using a patient’s initials instead of their name is considered a breach of PHI, as it could be combined with other information to deduce the patient’s identity. Here are some recommendations to consider when implementing HIPAA regulations and requirements into your office and patient electronic communication protocol:

Patient identifiers to avoid when communicating with patients via email/SMS:

List of PHI (Protected Health Information) to avoid for HIPAA compliance

Patients should “ideally” authenticate who they are before gaining access to PHI. So if you’re going to send PHI, it’s best to send it via secure message through a patient portal or HIPAA-compliant email messaging service (where a login is required). Encourage patients to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concernsand require password changes every six months.

It’s always best practice to use the bare minimum of patient identifiers and other sensitive content in all messages you send to a patient. Seek documented patient consent before contacting patients by HIPAA-compliant email messaging or SMS, inform them of any privacy issues, and keep a record of this acceptance. This is commonly referred to as an “opt-in agreement.” Include a disclaimer regarding patient privacy in all communication; when sending an SMS (where limited characters are available), be sure patients have already opted-in to receive HIPAA-compliant text messages.

Sample Disclaimer: The information in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

Allow alternative options for communication upon patient request. Make these options visible in the email/SMS text message body. Allow the patient to unsubscribe from email and/or SMS communication and respect any opt-out requests. Ifyou have multiple patient engagement solutions that are sending out SMS and email communication to patients,you may need to manually update each system to reflect the patient’s updated communication preferences.

How To Implement HIPAA-Compliant Email Messaging

Any covered entity should be communicating ePHI using encryption technology. A covered entity can encrypt its end of the email transport, but it’s impossible to ensure the email’s security once it leaves the organization’s server. To encrypt email communication completely, the patient would need to use a HIPAA-compliant email messaging service or secure patient messaging software that supports HIPAA-level encryption. Therefore, it’s best to send messages to patients that must be retrieved in a patient portal or other password-protected secure messaging service.

How To Send HIPAA-Compliant Text Messages

Covered entities can implement mobile applications that send HIPAA-compliant text messages, which aren’t exactly SMS-based but achieve the objective using mobile communication. A HIPAA-compliant messaging app provides a private cloud, secure encrypted network with access controls and audit controls to satisfy the HIPAA requirements. Convenient control panels allow covered entities to offer role-based authorization and apply messaging policies.

HIPAA text messaging solutions don’t typically store messages on the device, so there’s a limited risk of unauthorized access. Apps installed on mobile devices often require passwords to gain access to the app and the device itself, which means extra security.

That being said, most healthcare providers send only limited PHI via SMS message. SMS is considered a low-medium risk in comparison to email, so it’s unlikely a provider would experience any problems relying on SMS messaging as their primary communication method—so long as the right precautions are in place (as detailed in the sections above). SMS is extremely effective and the preferred communication method for patients, so it makes sense to develop a HIPAA-compliant policy for sending SMS messages.

https://youtu.be/aOeCJtyXTuA?si=XdxWM2TZB64rB255

Use BridgeInteract As Your HIPAA-Compliant Patient Messaging Solution

87% of patients find it more convenient to communicate with healthcare organizations using technology, including text messaging³³. BridgeInteract assists healthcare organizations in securely engaging with patients via HIPAA-compliant messaging.

This software, part of the broader BridgeInteract patient engagement platform, allows providers to:

Message patients in HIPAA compliance while respecting communication preferences, including SMS text, email, or mobile push notifications.
Securely send PHI-sensitive messages to patients’ patient portal app inboxes and receive a HIPAA-compliant notification via their preferred method.
Offer completely secure HIPAA-compliant messaging via a client-branded iOS and Android mobile app.

BridgeInteract is a powerful, modular patient engagement software suite that streamlines provider workflows and offers a seamless patient experience across the care journey via a HIPAA-compliant patient portal. The platform is SOC 2 certified and adheres to the strictest data security standards, leveraging enterprise-grade encryption, next-generation firewalls, and HIPAA-compliant cloud services to protect the data of patients and clients alike.

In addition, BridgeInteract is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services.* To know more about the certified module, please check https://www.bridgeinteract.io/certifications/.

Contact us to learn how we can help you manage your telehealth with a comprehensive patient engagement solution that complies with HIPAA and all applicable regulations while offering an unbeatable patient experience.

REQUEST A DEMO

Explore: HIPAA Compliance And Telehealth

DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge is not affiliated, endorsed, or sponsored in any way by the service providers mentioned in this article.

*This certification does not represent an endorsement by the US Department of Health and Human Services.

Sources:

Project.co. (2023). Communication Statistics 2022. [online] Available at: Link. Accessed August 23, 2024. ↩︎
Center for Clinical Standards and Quality/Quality, Safety & Oversight Group. (2024). Memorandum. [online] Available at: Link. Accessed August 23, 2024. ↩︎
Norm Group. (2022). Today’s Patients Want More Digital Communication. [online] Norm. Available at: Link. Accessed August 23, 2024. ↩︎

John Deutsch

Chief Executive Officer (CEO) John is a seasoned executive with 20+ years of healthcare IT business ownership experience specializing in patient engagement, marketing, and software/web development. He co-founded EMR Experts, an EHR consulting firm sold to Bizmatics Inc. in 2008. John then founded Medical Web Experts (MWE), a leader in custom HIPAA-compliant software/web development and marketing for the healthcare industry. Bridge Patient Portal, an all-in-one patient engagement solution, was spun off from MWE in 2014. John split his time between both companies before stepping down from MWE in 2019 to focus solely on Bridge Patient Portal. In 2023, Bridge Patient Portal was rebranded to BridgeInteract to reflect its evolution to a comprehensive, composable patient engagement platform. As CEO, John leverages his extensive management experience and strong technical knowledge in healthcare IT, cybersecurity, and compliance to provide healthcare organizations with the tools they need to compose their perfect patient engagement offering.

Previous Post Is Zoom®HIPAA Compliant? The Facts

Next Post Is Apple FaceTime® HIPAA-Compliant For Telehealth?