Busting HIPAA Myths about Patient Texts and Email
You can email and text with patients as long as you follow the rules.
There are lots of myths about HIPAA law – we hear them every day. The HIPAA E-Tool® wants to bust those myths and help you follow the rules. Not the ones we wish were true, or the rules that seem common sense. HIPAA does not always follow common sense. One of the myths is about texting and emailing with patients.
We text and email with friends, family, co-workers, other professionals, retailers and banks. It’s fast and convenient. Speedy communication in healthcare can be a good thing too, helping to engage patients and give them the information they need the way they want to receive it. In healthcare though, email and texts require special care under HIPAA.
You need to email and text with patients but how do you do it safely under HIPAA1?
If patients want the convenience, isn’t that enough? Almost. You need to take three simple steps first: warn the patient; let them decide; and document it. Why? Theft of protected health information (PHI) is at an all-time high. Thieves can intercept electronic communications more easily than phone calls. HIPAA rules are designed to make it harder for thieves.
One of the most common HIPAA myths is the idea that a patient “consents” to email and texting if they start it, or as soon as they reply.
Not true. This is magical thinking because it seems like it should be true, it seems to be common sense, but the truth is that only advance written consent after the patient has been warned about the risk, is valid.
Remember that “protected health information” (PHI) is much broader than medical information. It can be only one (or more) of eighteen separate pieces of identifying information, like name, email address, phone number or patient i.d. number, etc. which, if linked with someone’s past, present or future healthcare, becomes PHI. Protected health information does not need to include a diagnosis or condition.
There is an easy way to lock down HIPAA compliance when it comes to email and texting with patients. The main requirement is to obtain written consent before sending an unencrypted text or email to a patient. There is no magic, just the three steps, below.
The “Three-Step Safe Harbor” from the HIPAA Privacy Rule
An unencrypted text message or email may only be sent after:
1) The patient is warned there is some level of risk (“duty to warn”)
2) The patient still wishes to receive unencrypted messages even after the warning (“right to decide”)
3) The health care provider documents the warning and the patient’s agreement to receive unencrypted messages (“documentation”).
If a patient texts or emails you before you have had a chance to warn them, send them the consent form before you respond to their inquiry. If they don’t respond, call them. If you cannot obtain their consent, or if they tell you they prefer encrypted communication, use encryption.
The HIPAA E-Tool® has the right consent form to use and explains the “Three-Step Safe Harbor.” It also maintains and regularly updates every policy needed for every HIPAA rule and includes answers to your questions about Privacy, Security, Risk Management and Breach Notification, 24/7/365.
Don’t rely on magical thinking, let us help.
1 There are two laws that apply to text messaging with patients: HIPAA and the Telephone Consumer Protection Act, or TCPA which protects consumers from nuisance and invasion of privacy using telephones (including texting). Some of the TCPA class action lawsuits have resulted in huge settlements in the tens of millions of dollars. As long as you follow HIPAA, you’ll be following TCPA.