Receiving & Communicating PHI via Text Message or Email
When it comes to emails and texts, the rules differ for covered entities or business associates to patients from those from the patient. Remember, the Security Rule does not apply to the patient. A patient may send their health information by whatever means they choose. That health information becomes protected by the HIPAA rules once the covered entity or their business associate receives it. To communicate ePHI with patients via email or text, the covered entity or business associate must make sure the transmission is secure or caution the patient before moving forward.
For example, a patient texts or emails the provider a question (or a picture) about a health issue they are facing. Because the security rule does not apply to them, this is acceptable. Responding to the patient is not quite that easy for the practice. If the provider would like to enter into a conversation about the patient’s health concern, they must comply with the security rule going forward. The provider is not allowed to forward any of the information or continue an electronic conversation about PHI via an unsecured method.
If the provider feels the patient may not be aware of the risks of using unencrypted email or text or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue with electronic communications.
Examples
Hi John. It looks like you’d like to discuss your health in a little more detail. Email (or text) is not a secure way to do that. Do you still want to carry on a conversation?
Once the patient gives permission, the provider can continue the conversation without concern of violation. HIPAA requires providers make patients aware of the risk of communicating their PHI via an unsecured channel and to obtain their consent prior to doing so. If the patient is not comfortable discussing their PHI over text or email due to security risks, then the conversation should be moved to a secure method, such as a phone call, a secure patient portal or an in-office visit.
Remember, a covered entity’s obligation is to make patients aware of unsecured communications and to receive authorization before discussing PHI on an unsecured channel.
Can you use texting to communicate health information, even if it is to another provider or professional?
It depends; text messages are generally not secure due to lack of encryption, and there is no certainty the message is received by the intended recipient. Wireless carriers tend to store text messages.
The best safeguard is for covered entities to implement a third-party solution that incorporates measures to establish a secure communication platform that allows texting on approved mobile devices. There is no message accountability with short message service (SMS) or instant messaging (IM); anyone can pick up someone’s mobile device and use it to send a message—or edit a received message before forwarding it on.
For these reasons (and many more), communicating PHI by standard, unencrypted, unmonitored and uncontrolled SMS or IM is texting in violation of HIPAA.
Covered entities are not expected to educate patients on encryption technology and information security. Rather, they must notify patients of the risk that information in a text or email could be read by a third party. If they’re notified of the risks and still prefer unencrypted email, the individual has the right to receive PHI in that way, and covered entities are not responsible for unauthorized access of PHI while in transmission based on the patient’s request.
