As more organizations continue to work remotely, they are relying on texting and email as means of communication. For organizations that work in healthcare, it is important to determine if the communication tool they use is HIPAA compliant. HIPAA compliant texting solutions and email platforms are discussed below.
HIPAA Compliant Texting and Email: What You Need to Know
An essential component of HIPAA is ensuring the confidentiality, integrity, and availability of protected health information (PHI). This includes PHI communicated via texting and email. For HIPAA compliant texting and email, there are certain measures that must be implemented.
◈ HIPAA Compliant Texting. Traditional texting platforms are not HIPAA compliant as they cannot be encrypted. Encryption masks sensitive data so that it is unreadable to unauthorized users. As such, they cannot be used in conjunction with PHI. Traditional texting platforms can only be used for patient communication with prior authorization from the patient. In addition to written consent, the covered entity (CE) must issue a warning to the patient to let them know that text messaging is not a secure form of communication, the warning must also be documented.
However, this authorization extends to provider and patient communication, the provider may not communicate PHI through text message to a party other than the patient. Text messaging can also be used to send patient appointment reminders and under certain circumstances, during a natural disaster.
If your organization prefers to communicate PHI through text messaging, there are HIPAA compliant texting platforms. These platforms are specially designed for the medical field. As such, they include all of the required security measures, and they are willing to sign a business associate agreement (BAA).
◈ HIPAA Compliant Email. To use email for communication in compliance with HIPAA, the email provider must enable encryption. When sending email attachments with PHI, the attachments must also be encrypted. However, PHI cannot be contained in an email subject line, as this information cannot be encrypted. Before using email to communicate PHI, you must have a signed BAA with your email provider.
Even with encryption enabled, using email to communicate PHI still poses a risk. This is why providers must receive patient authorization and issue a warning before using email to communicate PHI to a patient. Contact us for more information about HIPAA compliant email solutions.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.