I recently wrote about email and text guidelines the American Medical Association (AMA) set forth to help healthcare providers ensure their electronic communications comply with the Health Insurance Portability and Accountability Act (HIPAA). Thanks to this roadmap, and current available technologies, providers and their business associates have what they need to email and text patients legally and responsibly when Protected Health Information (PHI) is at stake.
Today, I’m going to discuss HIPAA compliance more in depth—specifically, as defined and determined by the HIPAA Privacy Rule, the HIPAA Security Rule, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Each of these contributes to the pool of regulatory requirements controlling the exchange of PHI via electronic communications.
Understanding how these regulations (collectively referred to herein as “HIPAA requirements”) impact text and email communications is your first step toward launching a HIPAA-compliant text and email communication program.
First Things First: A Brief HIPAA Breakdown
Before we launch into our five-step dive, here’s a quick primer on how HIPAA requirements have evolved and expanded since 2000.
HHS Privacy Rule
Health and Human Services (HHS) published a final Privacy Rule in December 2000, which was later modified in August 2002. This rule set national standards for the protection of individually identifiable PHI by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
HHS Security Rule
HHS published a final Security Rule in February 2003. This rule sets national standards for protecting the confidentiality, integrity, and availability of electronic PHI. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
HHS Enforcement Rule
The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
HHS Breach Notification Rule
Under certain circumstances, the Health and Human Services (HHS) Breach Notification Rule requires covered entities and business associates to report all PHI breaches to HHS and the impacted individuals. HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for PHI established under HIPAA, thus finalizing the Breach Notification Rule.
Now, Let’s Dive Into the HIPAA Requirements
These are five of the most important aspects of HIPAA as it pertains to email and text. If you’re considering using electronic communications to engage patients for any reason, these bottom-line takeaways should be top of mind.
Step #1: Relationships Matter
The HIPAA requirements for text and email communications differ depending on the relationship between the texting or emailing parties.
While all electronic communications sent from a covered entity or business associate to a patient must be secure, communications from the patient to the covered entity or business associate need not be secure. This is because the HIPAA requirements do not require covered entities and business associates to be legally responsible for the encryption of PHI sent by the patient to the covered entity or business associate.
Nevertheless, the covered entity or business associate still bears some responsibility regarding email and text communications received from a patient (see Step #2).
Step #2: Consumer Warnings Matter
As I mentioned in my previous blog post, providers and business associates who offer patients an opportunity to communicate electronically using a text or email service must warn consumers about the insecurity of the communication platform.
According to the AMA’s guidelines related to HIPAA requirements for communications between provider/business associate and patient, when communicating with patients electronically, the provider/business associate must also inform patients of:
- The inherent limitations of electronic communication, including possible breach of privacy or confidentiality issues; and
- The difficulty in verifying the identity of the parties when texting or emailing and the potential impact of delayed responses.
The provider/business associate should also provide patients with an opportunity to accept or decline electronic communication before privileged information is transmitted, and they should document the patient’s decision to accept or decline the opportunity.
Lastly, the provider/business associate should take steps to help the patient understand that any texts or emails he or she might send the provider/business associate are not secure and may be subject to intrusion, hacking, and identity theft.
Step #3: Patient Expectations Matter
The HIPAA requirements are not prescriptive with regard to text and email communications. Rather, they expect covered entities and business associates to meet the expectations within reason.
For example, if a patient demands the medical collection agency email a copy of his or her statement to a Gmail address and the collection agency has absolutely no process in place to email patients, HIPAA would not require the medical collection agency to accommodate the patient by implementing an email communication system.
On the other hand, if a patient indicates he or she does not want the medical collection agency to leave voicemail messages on his or her cell phone and to send texts instead (assuming the agency has a text message program in place), HIPAA would require the medical collection agency to cease leaving voicemail messages and restrict communications with that patient to text.
Step #4: Playground Rules Don’t Matter
Covered entities and their business associates often ask whether they can interpret a patient’s unsolicited email or text as consent to electronic communications.
The assumption behind the question is best reflected in the familiar line, “Well, they started it.” While this may work as a playground rule, it fails under the HIPAA requirements.
Parties who wish to communicate with patients electronically must obtain the patient’s consent to continue using the particular form of electronic communication, even when a patient initiates the text or the email.
Step #5: Encryption Matters
Email and text communications are inherently insecure; they’re not secured by default, and they’re easy to hack.
An individual’s email account can easily be accessed by a third party if a weak or easy-to-guess password is used for the email account. A provider’s email system is also vulnerable to attack if the organization does not use two-factor authentication and other simple controls such as passwords and screen time-outs.
Because all consumer-grade email platforms and texting programs are known to be insecure means of communication, their use for professional purposes may be considered in itself a breach of the HIPAA requirements.
The HIPAA Security Rule §164.312(e) requires covered entities and their business associates to consider the encryption of communications as an Addressable Implementation Specification. This is a defined term under the HIPAA Security Rule. Providers and their business associates must comply with this rule when contemplating the use of electronic communications.
HIPAA Is Complex, but Email and Text Needn’t Be
Technologies that can secure text and email communications as required by HIPAA are readily available today. In fact, providers have a range of options that are designed for this very purpose and perform their job well.
Once you understand what HIPAA requires and have the right tools in place, electronic communications will become less of an ongoing concern and more of an asset—a major advantage, in fact—for your operations and your business. Frankly, you’ll wonder how you ever got along without them.
Editor's Note: This article previously appeared on the Ontario Systems Blog and is republished here with permission.