Email & Text in the World of HIPAA

fizkes / shutterstock.com

The world we live in necessitates infor­mation be communicated in a quick and easy manner. This remains true in the healthcare setting. The ability to text or email staff and patients has become a priority for many healthcare entities. However, maintaining patient privacy and confidentiality is essential to ensure we meet compliance standards. Although emailing and texting are convenient, these communication methods have inherent pitfalls. Implementing email and text solutions in the healthcare setting is a complex issue and several factors must be addressed.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates implement certain safeguards when emailing or texting electronic protected health information (ePHI) to patients or others. Enacted in 1996, HIPAA has rules regarding the use and disclosure of protected health information (PHI) to ensure it remains private. The HIPAA Privacy Rule defines PHI as individually identifiable information transmitted or maintained in any form or medium whether electronic, on paper or oral by a covered entity or a business associate. HIPAA regulates:

• How and when to disclose PHI;
• Ways providers and health plans must protect PHI; and
• Patient rights to access their own information.

The HIPAA Privacy Rule not only allows, but requires covered entities to communicate with patients via email or text if requested by the patient (see 45 CFR 164.522[b]). Patients are allowed to send providers and their practices any PHI they would like via email or text. The information is the patient’s, and they have the right to do with it and request information as they please. However, the Privacy Rule requires covered entities implement appropriate safeguards when emailing or texting ePHI to patients.

The U.S. Department of Education’s Office for Civil Rights (OCR) explains:

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 CFR 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.¹

The Privacy Rule requires covered entities and their business associates to “implement technical security measures to guard against unauthorized access to PHI that is being transmitted over an electronic communications network” (45 CFR 164.312[e][1]). Encryption is an addressable implementation standard, meaning the covered entity or business associate must encrypt the ePHI if it determines doing so is “reasonable and appropriate.” If not, the covered entity or business associate must 1) document why it would not be reasonable and appropriate to encrypt the data, and 2) implement an equivalent alternative measure if reasonable and appropriate.