email and texts with patients

Avoid Email and Text HIPAA Violations

Scheduling Telehealth Appointments

Telehealth expanded rapidly to deal with COVID-19. Providers routinely email and text patients to schedule appointments because it’s convenient.  Patients overwhelmingly want to use regular (unencrypted) emails and text messages to schedule their telehealth appointments.

However, many providers put themselves at risk because they don’t follow simple, mandatory HIPAA rules for using unencrypted email and text messaging to schedule telehealth appointments. And they may risk violating another law that applies to texting patients, the Telephone Consumer Protection Act (TCPA). TCPA violations carry heavy financial consequences. But if you comply with HIPAA, you eliminate TCPA risks.

The number of inquiries we receive about emails and text messages indicates widespread and probably unintended violations of HIPAA compliance requirements for electronic communications. They also signal the TCPA violations that expose providers to severer financial risk.

Unencrypted Communication is Risky

We have written about emails and texts before, because a common myth about HIPAA is that patients who email or text using an unencrypted method have consented to unencrypted communication, just by communicating with a provider this way. But that is not the case. A covered entity must obtain an individual’s consent to use unencrypted communication beforehand.

What is the big deal about encrypted vs. unencrypted email or text? We all communicate dozens of times a day with our family, work colleagues, social media, retail and grocery stores, etc., without giving it a thought. The big deal is that medical identity theft is a big business, and cyber thieves are searching for communications between a provider and a patient to steal medical identity. It’s way too easy to steal if it’s unencrypted.

HIPAA Requires Prior Consent

And since HIPAA is designed to maintain patient privacy and security, the HIPAA Privacy and Security Rules both require this protection. The TCPA, mentioned above, requires providers to follow the HIPAA Privacy Rule for text messaging.

There is a simple “safe harbor” rule that protects health care providers who want to communicate via email and text, but you must follow the steps.

The three-step safeguard for obtaining consent:

  1. first, a “light warning” is required – inform the patient there is some level of risk that an unencrypted text or email can be read by someone else;
  2. if, after the light warning, the patient still wants standard email and text messages (as almost all do) you must follow their direction;
  3. document the light warning and the patient’s preference in writing.

The HIPAA three-step safeguard is a complete defense to the TCPA, because it documents prior express consent.

HIPAA Protects Privacy and The HIPAA E-Tool® Protects Providers

Knowing your risks, knowing what law applies, and following HIPAA doesn’t come naturally to most people. There are a LOT of rules.

The HIPAA E-Tool® has everything you need – policies, forms, legal citations and training – and ways to get answers to your questions. If you have a question, let us know.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free