Email and text messaging are very convenient ways people communicate, including many of your patients. These forms of communication, however, are not always compliant with HIPAA standards and may put your patients’ privacy at risk.
By understanding how HIPAA applies to your electronic communication, you can make your communications more effective while also maintaining compliance and respecting your patients’ privacy rights.
Mobile device use
To help healthcare providers understand the HIPAA communication rules for smartphones and other mobile devices, the U.S. Department of Health and Human Services published a website with specific guidelines including a mobile device fact sheet and a “Guide to Privacy and Security of Electronic Health Information”. In summary, mobile devices must be used in such a way as to protect patient information, using reasonable safeguards.1
In effect, this rules out the use of unsecure networks and unencrypted communication methods like texting. Unsecured text messaging may not be used to communicate patient information, either with patients or colleagues.1 However, using necessary safeguards or adopting secure third-party software to facilitate secure texting is an option.²
When considering mobile device use within your practice, these five steps will help you determine how to uphold HIPAA requirements: ²
- Determine if mobile devices will be used with patient information. This includes EHR use, using mobile devices as part of your organization’s internal system or “used to access, receive, transmit or store patients’ health information.” You must conduct a risk analysis and consider the risks that apply to your organization if you ultimately decide to use mobile devices in any of these ways.
- Analyze your use (or planned use) of mobile devices to send health information. Look for threats and potential vulnerabilities.
- Create your own custom strategy based on the vulnerable areas you identified in step #2. This strategy must include appropriate “privacy and security safeguards” and be regularly evaluated. In your plan, be sure to include your strategies for updating, maintaining and evaluating your strategy regularly.
- Create, record and begin using your policies and procedures for mobile device use. These should protect patient information and help staff members understand how to appropriately use mobile devices.
- Begin training staff members about protecting patient information and how to use their mobile devices in accordance with your policies and procedures. Conduct training on an ongoing basis to provide the most up-to-date information.
Email communication with patients is acceptable as a long as healthcare providers make a reasonable effort to protect patient information.³ Unencrypted messages must take care not to reveal too much personal information. Precautions must be taken to ensure that messages are sent to the correct email address. Patients may ask for an alternative form of communication instead of email, as long as the request is reasonable.
Healthcare providers may safely assume that email is appropriate communication with a particular patient if that individual initiates email contact by sending an email message to the provider.³ If the patient requests a different form of communication, you should offer something more secure such as mail or phone communication.³
Know your use of information
You should do your own due diligence by researching HIPAA guidelines and determining how they apply to your practice’s use of electronic communications. Also, be aware that these regulations do change. Other regulations may apply to your practice and you must be prepared to comply with them.
Being prepared and using electronic communication responsibly demonstrates your concern for protecting patient privacy and offering the best care possible.
1 The U.S. Department of Health and Human Services. “Can you use texting to communicate health information, even if it is to another provider or professional?” https://www.healthit.gov/providers-professionals/faqs/can-you-use-texting-communicate-health-information-even-if-it-another-p. Published January 2013. Accessed November 2015.
2 The U.S. Department of Health and Human Services. “Managing Mobile Devices in Your Health Care Organization.” https://www.healthit.gov/sites/default/files/fact-sheet-managing-mobile-devices-in-your-health-care-organization.pdf. Accessed November 2015.
3 The U.S. Department of Health and Human Services. “Does the HIPAA Privacy Rule permit health care providers to use email to discuss health issues and treatment with their patients?”