email and texts with patients

Avoid Email and Text HIPAA Violations

Scheduling Telehealth Appointments

Telehealth expanded rapidly to deal with COVID-19. Providers routinely email and text patients to schedule appointments because it’s convenient.  Patients overwhelmingly want to use regular (unencrypted) emails and text messages to schedule their telehealth appointments.

However, many providers put themselves at risk because they don’t follow simple, mandatory HIPAA rules for using unencrypted email and text messaging to schedule telehealth appointments.

The number of inquiries we receive about emails and text messages indicates widespread and probably unintended violations of HIPAA compliance requirements for electronic communications.

Unencrypted Communication is Risky

We have written about emails and texts before, because a common myth about HIPAA is that patients who email or text using an unencrypted method have consented to unencrypted communication, just by communicating with a provider this way. But that is not the case. A covered entity must obtain an individual’s consent to use unencrypted communication beforehand.

What is the big deal about encrypted vs. unencrypted email or text? We all communicate dozens of times a day with our family, work colleagues, social media, retail and grocery stores, etc., without giving it a thought. The big deal is that medical identity theft is a big business, and cyber thieves are searching for communications between a provider and a patient to steal medical identity. It’s way too easy to steal if it’s unencrypted.

HIPAA Requires Prior Consent

And since HIPAA is designed to maintain patient privacy and security, the HIPAA Privacy and Security Rules both require this protection.

There is a simple “safe harbor” rule that protects health care providers who want to communicate via email and text, but you must follow the steps.

The three-step safeguard for obtaining consent:

  1. first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
  2. if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
  3. document the light warning and the patient’s preference in writing.

HIPAA Protects Privacy and The HIPAA E-Tool® Protects Providers

Knowing your risks, knowing what law applies, and following HIPAA doesn’t come naturally to most people. There are a LOT of rules.

The HIPAA E-Tool® has everything you need – policies, forms, legal citations and training – and ways to get answers to your questions. If you have a question, let us know.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU