Updated on April 5, 2023.
Why Secure Patient-provider Communication is a Must
Patients require open communication with their healthcare providers before and after their appointments. And since the rise of telehealth, SMS/email communication has become increasingly prevalent. Research shows that most patients are moving away from telephone calling in favor of digital communication such as text messaging and email¹ on their mobile devices. The problem is that while SMS and email are not, by nature, HIPAA compliant, healthcare providers must be allowed to use them for patient communication to remain productive in the modern healthcare market. HIPAA law is a gray area; therefore, it’s important to explore the shortcomings of SMS and email and ways to make them safe and secure.
The Shortcomings of SMS and Email
The primary text messaging (SMS) functionality available on all mobile phones and email communication is not “technically” HIPAA compliant. Reasons for this include:
- SMS/email lacks access controls; a patient does not need to enter a password before they read a text message or email.
- SMS/email lacks audit controls, which are necessary when Protected Health Information (PHI) is created, modified, accessed, shared, or deleted.
- SMS/email lacks the necessary encryption standards; its functionality does not prevent the interception or extraction of text messages or emailed information from the mobile carrier or email servers.
What Are SMS and Email Messaging Most Commonly Used For?
- Telemedicine/video visit invitations
- Automated patient appointment reminders and confirmations
- Patient payment requests and financial statement modifications
- Personalized patient education
- Patient forms and pre-visit intake notifications
- New visit summary notifications
- New patient-provider message notifications
- Patient care gap and recall reminders
What Does HIPAA Say?
HIPAA makes very few specific statements about what is and isn’t acceptable regarding HIPAA compliant secure messaging. HIPAA states that the Privacy Rule “allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so.”
- HIPAA Standard 164.312(d) – Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.
- HIPAA Standard 164.306(b) – Implement reasonable and appropriate security measures.
How To Be HIPAA Compliant
Here are some recommendations to consider when implementing HIPAA regulations and requirements into your office and patient electronic communication protocol:
HIPAA Standard Practical Advice HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to electronic Protected Health Information (ePHI) are who they claim to be. Double-check and triple-check to be positively sure that the email address or phone number is correct before sending. If automated messages are being sent, implement procedures for verifying contact information, ideally through an electronic opt-in or communications consent form. HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. Do not use the patient’s name, initials, or medical record number in the subject line of an email, and even avoid using any of the below mentioned identifiers in the body of the email or SMS. Ensure that your opt-in and/or communications consent form mentions the identifiers that you’ll likely use in your email and SMS communication so that the patient has opted-in to receive communication with such identifiers.
Patient identifiers include:
2. All geographical subdivisions smaller than a state (The initial three digits of a zip code may be acceptable)
3. Dates, except for year
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images
18. Any other unique identifying number
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued) Limit the amount of personal health record information you include in electronic communication that is likely to cause complaints. Don’t include any highly sensitive information, defined as:
Mental Illness or Developmental Disability
HIV/AIDS Testing or Treatment
Substance (i.e., alcohol or drug) Abuse
Abuse of an Adult with a Disability
Child Abuse and Neglect
Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.
Patient identifiers to avoid when communicating with patients via email/SMS:
Patients should “ideally” authenticate who they are before gaining access to PHI. So if you’re going to send PHI, it’s best to send it via secure message through a patient portal or HIPAA compliant email messaging service (where a login is required). Encourage patients to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns, and require password changes every six months.
It’s always best practice to use the bare minimum of patient identifiers and other sensitive content in all messages you send to a patient. Seek documented patient consent before contacting patients by HIPAA compliant email messaging or SMS, inform them of any privacy issues, and keep a record of this acceptance. This is commonly referred to as an “opt-in agreement.” Include a disclaimer regarding patient privacy in all communication; when sending an SMS (where limited characters are available), be sure patients have already opted-in to receive HIPAA compliant text messages.
Sample Disclaimer: The information in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Allow alternative options for communication upon patient request. Make these options visible in the email or SMS text message body. Allow the patient to unsubscribe from email and/or SMS communication and respect any opt-out requests. Suppose you have multiple patient engagement solutions that are sending out SMS and email communication to patients. In that case, you may need to manually update each system to reflect the patient’s updated communication preferences.
Any covered entity should be communicating ePHI using encryption technology. A covered entity can encrypt its end of the email transport, but it’s impossible to ensure the email’s security once it leaves the organization’s server. To encrypt email communication completely, the patient would need to use a HIPAA compliant email messaging service or secure patient messaging software that supports HIPAA-level encryption. Therefore, it’s best to send messages to patients that must be retrieved in a patient portal or other password-protected secure messaging service.
How To Send HIPAA Compliant Text Messages
Covered entities can implement mobile applications that send HIPAA compliant text messages, which aren’t exactly SMS-based but achieve the objective using mobile communication. A HIPAA compliant messaging app provides a private cloud, secure encrypted network with access controls, and audit controls to satisfy the HIPAA requirements. Convenient control panels allow covered entities to offer role-based authorization and apply messaging policies.
HIPAA text messaging solutions don’t typically store messages on the device, so there’s limited risk of unauthorized access. Apps installed on mobile devices often require passwords to gain access to the app and the device itself, which means extra security.
That being said, most healthcare providers send only limited PHI via SMS message. SMS is considered a low-medium risk in comparison to email, so it’s unlikely a provider would experience any problems relying on SMS messaging as their primary communication method — so long as the right precautions are in place (as detailed in the sections above). SMS is extremely effective and the preferred communication method for patients, so it makes sense to develop a HIPAA compliant policy for sending SMS messages.
Use Bridge as Your HIPAA Compliant Patient Messaging Solution
87%² of patients find it more convenient to communicate with healthcare organizations using technology, including text messaging. Bridge Patient Portal assists healthcare organizations in securely engaging with patients via a HIPAA compliant messaging mobile application. This software allows providers to message patients in HIPAA compliance while respecting communication preferences, including SMS text, email, or mobile push notifications. Bridge’s solution enables medical practices to securely send PHI-sensitive messages to patients to their patient portal app inbox and receive a HIPAA compliant notification via their preferred method. As a 2015 ONC-certified patient portal, Bridge offers completely secure HIPAA compliant messaging now accessible on a client-branded iOS and Android mobile app.
- Project.co. (2023). Communication Statistics 2022. [online] Available at: https://www.project.co/communication-statistics/.
- Norm Group. (2022). Today’s Patients Want More Digital Communication. [online] Norm. Available at: https://normgroup.org/todays-patients-want-more-digital-communication/.