There are widespread violations of the HIPAA Rules for communicating with patients by unencrypted email and text message – largely because Providers and Business Associates just don’t know the rules. These HIPAA Rules are clear and easy to follow but you are at great risk and directly liable for breaking them.
A simple appointment reminder is, by definition, Protected Health Information even though it may not contain diagnostic specific information. So are Happy Birthday wishes, reminders that a patient is overdue for a checkup or has an outstanding balance on a bill. You must know how you can maximize your use of key patient communication tools while protecting yourself and your organization from government penalties and patient lawsuits.
Health Care Providers have a mandatory “duty to warn” patients of risks associated with unencrypted email. A patient may refuse to receive unencrypted emails after being warned. Health Care Providers and Business Associates must strictly follow the patient’s restriction.
There is a HIPAA “safe harbor” that frees you from:
- Responsibility for unauthorized access of a patient’s PHI during transmission;
and,
- Responsibility for safeguarding PHI delivered to the patient.
Don’t be the Provider or Business Associate that finds itself in serious trouble simply because you didn’t follow the HIPAA Rules for unencrypted electronic communication with patients!