Electronic Patient Communications in the Wake of HIPAA: The Ban Has Lifted

Healthcare providers remain skittish when it comes to email or text communications, and their reluctance is understandable. 

Historically, both email and text messages were considered inherently unsecure modes of communication. In addition, many healthcare providers and business associates believe the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy and Security Rule’s restrictions on the use, transfer, and storage of demographic data and Protected Health Information (PHI) make email and text messaging far too risky. 

In response to the concerns of the healthcare community as well as the financial services industry—which has similar needs to protect the confidentiality of personally identifiable information—the cellular phone and internet industries have built safe, secure electronic communication platforms that secure information both in transit and at rest. 

If email and text are used properly and with the controls required by the American Medical Association (AMA) to send electronic messages containing PHI, healthcare providers can now embrace these forms of patient communications. 

AMA Requirements for Email and Text

As the AMA makes clear, HIPAA does not specifically prohibit sending PHI by text or email. However, it does require the electronic communication platform to include: 

• Safeguards to ensure the confidentiality of PHI at rest and in transit;
• Controls for who can access PHI;
• Permissions for what authorized personnel can do with PHI when they access it; and
• Processes to prevent the interception of plain text messages. 

Healthcare providers and business associates should exercise due diligence when selecting a text or email communication platform provider. At a minimum, they should require the provider to ensure its text or email platform can support the AMA’s four requirements of an electronic communication platform. 

The AMA has further clarified its position on sending PHI by text or email in Section 2.3.1 of the AMA’s Code of Ethics. As this section makes clear, concerns remain about privacy and confidentiality when communicating and transmitting PHI electronically. Physicians must uphold the same ethical standards when communicating with patients electronically as they do during other clinical encounters. They must also ensure the method of communication—whether virtual, telephonic, or in person—is appropriate to the patient’s clinical need and to the information being conveyed. 

While HHS and the Center for Medicare and Medicaid Services (CMS) do not prohibit healthcare providers and practitioners from communicating with their patients by text messages or email, healthcare providers and practitioners cannot disavow their responsibilities under the law, HIPAA, the HIPAA Privacy and Security Rule, or the AMA Code of Ethics by hiring a business associate to manage their electronic communications.  

Business associate agreements must include specific provisions regarding the use of text messaging and email and delineate any privacy or security requirements of the covered entity.  

AMA Guidelines for Email and Text

Here are the AMA’s specific guidelines regarding electronic patient communications. These standard practices help to ensure day-to-day compliance and ethical, responsible patient care. 

Physicians who choose to communicate electronically with patients should: 

(a) Uphold professional standards of confidentiality and protection of privacy, security, and integrity of patient information. 

(b) Notify the patient of the inherent limitations of electronic communication, including possible breach of privacy or confidentiality, difficulty in validating the identity of the parties, and possible delays in response. 

Such disclaimers do not absolve physicians of responsibility to protect the patient’s interests. Patients should have the opportunity to accept or decline electronic communication before privileged information is transmitted. The patient’s decision to accept or decline email communication containing privileged information should be documented in the medical record. 

(c) Advise the patient of the limitations of these channels when a patient initiates electronic communication. 

(d) Obtain the patient’s consent to continue electronic communication when a patient initiates electronic communication. 

(e) Present medical information in a manner that meets professional standards. Diagnostic or therapeutic services must conform to accepted clinical standards. 

(f) Be aware of relevant laws that determine when a patient-physician relationship has been established.  

For Providers and Their Patients, a Big Leap Forward

Healthcare professionals should welcome the AMA’s efforts to advance communications between patients and their providers. Text and email can be used to improve the patient experience, inform patients of their rights, remind them of important appointments, deliver treatment plans, follow up with recommendations, and even establish a lifeline between patients and physicians. 

Today’s patients appreciate and deserve the opportunity to communicate with providers using a variety of methods. The AMA’s recognition of this fact, and the framework it has provided for healthcare-related electronic communications, is a major win for all involved.

---

Editor's Note: This article previously appeared on the Ontario Systems Blog and is republished here with permission.