April 30, 2013

Question:

Jennifer,

With all of the new changes, am I allowed to communicate with my patients via email or cell phone?  What are the rules?  What about text message?

Thanks,
Dr. R

Answer:

Absolutely you are authorized under the HIPAA Rules (45 CFR Part 160, 164) to communicate with patients via email and on their cell phones, however, you are also required to ensure you are operating with proper administrative, technical and physical safeguards to protect those communications. What does this mean?  Other than being required to adopt a proper security policy and abiding by that document that specifies specific administrative, technical and physical safeguards, it is recommended that you receive written authorization from your patients to communicate with them by certain means.  I recommend confirming proper contact information with your patients, i.e., cell number and email, and being sure to confirm you are utilizing the right contact prior to communication via same.  You are also required to ensure proper protections - encryption, etc. when communicating.  Be sure to double check means you are utilizing to communicate are accessed solely by your patient.  If you are emailing a joint account, do not send protected health information to that account. 

Communicating patients via text message has not been explicitly authorized or prohibited.  So long as proper authorization is received and protections are in place, there is no reason why you may not utilize text message to relay appointment times, notification of availability of test results, etc.  However, be warned, do not let the informality of current technology relax your protective measures when dealing with protected health information.  Without proper protections, you should not be relaying protected health information.  Any access should be limited, password protected, encrypted and secure. 

Below is an FAQ from the Office for Civil Rights Website -


 

From the Office for Civil Rights Website -

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

Answer:

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.