As the ways in which we communicate evolve, it is important for HIPAA covered entities to understand how they are permitted to communicate with patients. HIPAA compliant patient communication is dependent on what information is being communicated, as well as what platform you are using to communicate with (i.e. email, mail, phone, text message, or in person). HIPAA requires covered entities to ensure the confidentiality, integrity, and availability of protected health information (PHI) with safeguards. These safeguards apply directly to what is considered HIPAA compliant patient communication.
How Can You Ensure HIPAA Compliant Patient Communication?
Before communicating with patients via email or phone, it is required to receive written authorization from the patient. However, it is permitted to issue appointment reminders without authorization via email, phone, or text message, as long as you are disclosing the minimum necessary information to confirm a patient appointment (i.e. patient’s name, appointment date/time, covered entity’s name, and covered entity’s phone number). Communicating health information has different requirements depending on the format in which you are communicating with patients.
Before it is permitted to share PHI with a patient via email, you must have written authorization from the patient to do so. Even with written authorization, email protections are required to be in place to safeguard the PHI you are sending. HIPAA compliant patient communication via email requires end-to-end encryption (E2EE). E2EE protects sensitive information as emails make their journey to the patient’s inbox. Emails in transit pass through a third-party server; E2EE prevents emails from being read by unauthorized individuals as they pass through these servers. However, email subject lines are not encrypted, as such, covered entities should never put PHI in an email subject line.
Additionally, covered entities must have a signed business associate agreement (BAA) with their email provider, before they are permitted to use email in conjunction with PHI. A BAA is a legal document that determines what protections are required to secure PHI, and dictates the proper uses and disclosures of PHI.
When sending PHI via mail, you must use either certified mail or a similar service that requires a signature. Using standard mail is not permitted, as it cannot be tracked.
Similarly to email, you must have written consent from a patient before communicating PHI over the phone. When issuing a patient appointment reminder, it is not permitted to disclose the nature of the appointment or any other health information without prior consent from the patient.
Traditional text messaging platforms are not HIPAA compliant, as they do not have the protections necessary to secure PHI. There are, however, specific healthcare texting platforms that can be used for HIPAA compliant patient communication. Covered entities may, however, issue appointment reminders through text message.
When communicating with a patient in person, you must do so in an area that prevents unauthorized disclosure of PHI. This means that it is not permitted to communicate PHI in areas such as your waiting room as other patients or staff members can overhear the conversation.