HIPAA Rules for Texting or Emailing Your Patients

Highlights

• Patient communication is governed by HIPAA regulations.
• Emailing and texting are allowed under HIPAA with specific precautions.
• An integrated chiropractic EHR system like ChiroTouch can make all aspects of running a chiropractic practice easier, including patient communication.

In the digital age, correspondence with patients is less rigid than it used to be. You may find that some patients prefer more convenient methods of communication, such as texting or email, rather than phone calls.

While it’s good business practice to respect patient preference, you need to be sure you understand Health Insurance Portability and Accountability Act (HIPAA) regulations for communication with patients.

In this article, we’ll discuss how to respect your patients’ communication preferences while also complying with HIPAA guidelines for protected health information (PHI).

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 is a federal statute outlining the national standards for protecting patients’ health information. The act seeks to prevent sensitive patient data from being disclosed without the patient’s knowledge or consent.

In the United States, all medical practitioners are responsible for compliance with HIPAA guidelines.

Consequences for HIPAA Noncompliance

If you have employees at your practice, you must document their training in HIPAA compliance to prevent disputes over whether a lack of training resulted in a violation.

Action taken against you for a HIPAA noncompliance will depend on:

• The nature of the HIPAA violation
• Whether the violation was willful or there was malicious intent
• Whether you took action to correct the violation
• The level of harm the breach caused
• How many people were impacted by the violation
• Whether it was a violation of HIPAA’s criminal provision

Healthcare practices should not take HIPAA guidelines lightly, as the consequences for noncompliance are severe. In some cases, an employer may deal with a violation internally, or you may be terminated from the practice.

For willful violation of HIPAA guidelines, the minimum fine is $50,000, a devastating amount of money for some practices. The maximum criminal penalty is $250,000, but restitution may also need to be paid to the victims whose rights were violated.

Criminal violations of HIPAA can also result in jail time.

Is Texting Your Patients Allowed Under HIPAA Guidelines?

It’s a common misbelief that texting information to a patient is a violation of HIPAA regulations. While the complex language does cover the dissemination of information electronically, texting isn’t explicitly covered in the Policy and Security Rules.

Under HIPAA Guidelines, texting is allowed with certain provisions. It is permissible to send information via text message as long as the message doesn’t include direct personal identifiers.

The practitioner must inform the patient of all risks of allowing text messages containing potentially personal information and having them stored in their phone. Healthcare professionals should also meet the minimum necessary standards for disclosure.

Practices must implement technical safeguards to help ensure patient privacy.

The requirements include:

• PHI access is limited to those users who require information to do their jobs.
• A PHI monitoring system is necessary to view the activity of authorized users, with an identity authentication protocol in place. The authentication should have unique usernames for each user.
• Authorized users must adhere to policies regarding altering and destroying PHI.
• Data transmitted outside the internal firewall must be encrypted.

Healthcare practices can also use secure messaging solutions (SMS) to protect private communication sent to patients. SMS systems allow users to access information in a secure messaging app that prevents copying and pasting of encrypted data. SMS applications automatically log out users after a period of inactivity to protect their data.

What Are the HIPAA Rules for Emailing Patients?

Under the Privacy Rule (45 C.F.R. § 164.522(b)), patients have the right to request an alternate form of communication from their healthcare provider, and some may want you to specifically communicate via email.

If email is reasonable for the communication that needs to take place, HIPAA allows you to use it. But you cannot send unencrypted emails containing confidential patient information, regardless of what the patient agrees to.

Emails can be HIPAA-compliant if your practice puts measures in place to secure the communications.

While you can send emails containing PHI internally on an email network with the necessary firewall, corresponding with patients externally is more complex. If you are sending electronic PHI (ePHI) outside the internal network, your emails need to be secured during transit.

HIPAA rules require the healthcare entity to implement:

• Access controls
• Audit controls
• Integrity controls
• ID authentication
• Transmission security

With these protections in place, your practice can ensure 100% message accountability, restrict access to PHI, and protect PHI from unauthorized interceptions.

While encryption of your emails is not always mandatory, it’s up to you to determine the level of risk associated with the email exchange and what sort of information is contained in the interaction. Encryption becomes complicated because there is no HIPAA standard for what encryption method is secure.

While it’s appropriate to use email communication with patients, you must take the necessary precautions to protect yourself and ePHI under HIPAA.

If a patient sends you an email, you can assume that they are open to your responding via email, but you should warn them about the risks of sending PHI electronically. Then let the patient decide if they are comfortable continuing with email communication.

Effective Communication With Patients Is Easier With an Integrated EHR System

An electronic health record (EHR) is a digital format allowing the practitioner to maintain patient records. The integrated software has quickly become the central location for charting, communication, and record-keeping.

ChiroTouch, the cloud standard in chiropractic EHR, was designed specifically for chiropractic practices. We have over 20 years of experience in the field and have designed our software with chiropractors in mind.

Our integrated chiropractic EHR system allows practitioners to:

• Schedule appointments
• Manage insurance
• Take and process payments
• Make SOAP notes and chart quickly

CT Engage Makes Patient Communication Even Easier

What’s more, ChiroTouch makes communicating with your patients even more convenient with CT Engage, our patient communication tool.

CT Engage is a powerful way to engage and retain patients, set up recall and marketing campaigns, send appointment reminders and confirmations, and much more.

With CT Engage, you can communicate with patients the way they prefer to be contacted, via text or email, quickly and seamlessly from within the ChiroTouch software.It offers both two-way and broadcast texting, letting you send texts to individual patients, small groups, or even all of your patients at once.

Email features include customizable and prebuilt templates, the ability to schedule email campaigns and upload files, and more.

CT Engage also has reputation management tools, such as automated requests for reviews and feedback from your patients and the ability to monitor your reviews and patient satisfaction metrics. CT Engage is what busy practices need to stay on top of patient engagement and retention, both of which increase your practice revenue and build trust with your patients.

Stay Compliant and Provide a Memorable Patient Experience

Your practice needs to stay up-to-date with the latest systems and technology to deliver the best possible care to patients. Part of that is ensuring your practice is equipped with the most trusted, fully integrated EHR chiropractic software system — ChiroTouch, the cloud standard.

By streamlining your scheduling, charting, payment processing, and more in one location, you’ll have more time to dedicate to your patients’ care and improve communication.