Texting and E-mail in Medical Offices

If PHI Is Involved, Must Secure, Except…
•Do you need to secure e-mail and text messages?
–Required HIPAA Risk Analysis shows risks of using insecure communications such as plain e-mail and texting
–Organizations that discover they have used insecure communications report insecure communications of PHI as a breach
–Enforcement settlements have been based in part on the use of insecure communications for professional purposes with PHI
•So, if PHI is involved, encryption is required
•Except! When the patient requests the use of an insecure process
–Must be at the patient’s request or as an expressed preference
–Must explain risks to the individual and obtain consent for insecure communications involving PHI
–Entity is not liable for a breach if PHI is compromised

-Jim Sheldon-Dean

Texting and E-mail in Medical Offices

HIPAA Requirements
•HIPAA Security Rule §164.312(e) requires consideration of encryptionof communications as an Addressable Implementation Specification
–Risk Analysis shows regular texting is NOT secure
–Using regular texting with PHI may be considered a breach
•HIPAA Privacy Rule §164.522 and §164.524 give patients rights of communication preferences and access of information (even if it is not secure)
–Making Patients happy
–Making HHS happy

-Jim Sheldon-Dean

Texting and E-mail in Medical Offices

Patient Communications
•The big question: “Can I text or e-mail Appointment reminders to my patients?”
•The big answer: “That depends…”
–Do you have consent under TCPA?
–Details of the message
–Context of the message
–What can you leave out?
•What if they request using plain e-mail or plain texting and don’t want to use another app or portal?
–Can you manage the communications?
–Can you document the communications?
–Issue of Response, Triage, and Medical Records

-Jim Sheldon-Dean

Texting and E-mail in Medical Offices

Professional Communications
•For Professional purposes:
–Formal communication between staff or providers in other offices, involving PHI, including information or decisions about care
•Secure communications for PHI are required
•Communications must be documented, authenticated for treatment purposes
•Need more than one of the free secure texting apps

 

-Jim Sheldon-Dean