Scheduling Telehealth Appointments
Telehealth expanded rapidly to deal with COVID-19. Providers routinely email and text patients to schedule appointments because it’s convenient. Patients overwhelmingly want to use regular (unencrypted) emails and text messages to schedule their telehealth appointments.
However, many providers put themselves at risk because they don’t follow simple, mandatory HIPAA rules for using unencrypted email and text messaging to schedule telehealth appointments.
The number of inquiries we receive about emails and text messages indicates widespread and probably unintended violations of HIPAA compliance requirements for electronic communications.
Unencrypted Communication is Risky
We have written about emails and texts before, because a common myth about HIPAA is that patients who email or text using an unencrypted method have consented to unencrypted communication, just by communicating with a provider this way. But that is not the case. A covered entity must obtain an individual’s consent to use unencrypted communication beforehand.
What is the big deal about encrypted vs. unencrypted email or text? We all communicate dozens of times a day with our family, work colleagues, social media, retail and grocery stores, etc., without giving it a thought. The big deal is that medical identity theft is a big business, and cyber thieves are searching for communications between a provider and a patient to steal medical identity. It’s way too easy to steal if it’s unencrypted.
HIPAA Requires Prior Consent
And since HIPAA is designed to maintain patient privacy and security, the HIPAA Privacy and Security Rules both require this protection.
There is a simple “safe harbor” rule that protects health care providers who want to communicate via email and text, but you must follow the steps.
The three-step safeguard for obtaining consent:
- first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
- if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
- document the light warning and the patient’s preference in writing.
HIPAA Protects Privacy and The HIPAA E-Tool® Protects Providers
Knowing your risks, knowing what law applies, and following HIPAA doesn’t come naturally to most people. There are a LOT of rules.
The HIPAA E-Tool® has everything you need – policies, forms, legal citations and training – and ways to get answers to your questions. If you have a question, let us know.