More and more healthcare providers are implementing communication systems between physicians and patients that rely on email or text. This, of course, means that these healthcare providers must implement certain safeguards in order to keep electronic protected healthcare information (e-PHI) secure throughout such communication. Here are some key policies to be aware of when it comes to emailing or texting patients and other providers—as well as receiving emails and texts from patients.
Emails and texts to patients
The HIPAA Privacy Rule not only allows but even requires covered entities to communicate with their patients via email or text if they so request it. With this requirement, however, also comes important safeguards that must be adhered to when sending e-PHI to patients. When sending emails, for example, healthcare providers must be sure to verify the email address for accuracy before sending, or send a message to the patient verifying the email address before sending the email that contains e-PHI. A healthcare provider is also advised to limit the amount and type of information disclosed through an unencrypted e-mail, and in doing so should document why it would not be “reasonable and appropriate” to encrypt the included data. A provider in this case would also warn the patient of a connection that isn’t secure or of e-PHI that is not encrypted. In cases when more information is to be disclosed, the covered entity or business associate must encrypt the e-PHI in the email as reasonable and appropriate.
Emails and texts from patients
These rules, however, do not apply to emails and texts sent from patients to healthcare providers. A patient, for example, may send health information to a healthcare provider using email or texting that is not secure, as it is assumed here that such communication is acceptable to the patient. If a provider feels that a patient is not aware of the risks involved in sharing personal health information in an unencrypted email, the provider can choose to alert the patient of those risks.
Emails between healthcare providers
The HIPAA Privacy and Security Rules involved in sending e-PHI to patients via email or text also apply to communication between healthcare providers. One caveat, however, involves communication via unsecure networks and unencrypted email—in these situations, warning the third party that the communication is not secure is generally not enough. Instead, healthcare providers are encouraged to consistently use secure connections and encrypted emails when disclosing e-PHI to one another.