Press Enter to Search
Healthcare providers remain skittish when it comes to email or text communications, and their reluctance is understandable.
Historically, both email and text messages were considered inherently unsecure modes of communication. In addition, many healthcare providers and business associates believe the Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy and Security Rule’s restrictions on the use, transfer, and storage of demographic data and Protected Health Information (PHI) make email and text messaging far too risky.
In response to the concerns of the healthcare community as well as the financial services industry—which has similar needs to protect the confidentiality of personally identifiable information—the cellular phone and internet industries have built safe, secure electronic communication platforms that secure information both in transit and at rest.
If email and text are used properly and with the controls required by the American Medical Association (AMA) to send electronic messages containing PHI, healthcare providers can now embrace these forms of patient communications.

AMA Requirements for Email and Text

As the AMA makes clear, HIPAA does not specifically prohibit sending PHI by text or email. However, it does require the electronic communication platform to include:
  • Safeguards to ensure the confidentiality of PHI at rest and in transit;
  • Controls for who can access PHI;
  • Permissions for what authorized personnel can do with PHI when they access it; and
  • Processes to prevent the interception of plain text messages.
Healthcare providers and business associates should exercise due diligence when selecting a text or email communication platform provider. At a minimum, they should require the provider to ensure its text or email platform can support the AMA’s four requirements of an electronic communication platform.
The AMA has further clarified its position on sending PHI by text or email in Section 2.3.1 of the AMA’s Code of Ethics. As this section makes clear, concerns remain about privacy and confidentiality when communicating and transmitting PHI electronically. Physicians must uphold the same ethical standards when communicating with patients electronically as they do during other clinical encounters. They must also ensure the method of communication—whether virtual, telephonic, or in person—is appropriate to the patient’s clinical need and to the information being conveyed.
While HHS and the Center for Medicare and Medicaid Services (CMS) do not prohibit healthcare providers and practitioners from communicating with their patients by text messages or email, healthcare providers and practitioners cannot disavow their responsibilities under the law, HIPAA, the HIPAA Privacy and Security Rule, or the AMA Code of Ethics by hiring a business associate to manage their electronic communications. 
Business associate agreements must include specific provisions regarding the use of text messaging and email and delineate any privacy or security requirements of the covered entity.
Are you ready to text? Do you fully understand the requirements and risks? Don’t miss my recent webinar, “HIPAA’s Take on Email and Text: What You Need to Know to Comply and Serve Patients Well.” You can access the free recording here.

AMA Guidelines for Email and Text

Here are the AMA’s specific guidelines regarding electronic patient communications. These standard practices help to ensure day-to-day compliance and ethical, responsible patient care.
Physicians who choose to communicate electronically with patients should:
(a) Uphold professional standards of confidentiality and protection of privacy, security, and integrity of patient information.
(b) Notify the patient of the inherent limitations of electronic communication, including possible breach of privacy or confidentiality, difficulty in validating the identity of the parties, and possible delays in response.
Such disclaimers do not absolve physicians of responsibility to protect the patient’s interests. Patients should have the opportunity to accept or decline electronic communication before privileged information is transmitted. The patient’s decision to accept or decline email communication containing privileged information should be documented in the medical record.
(c) Advise the patient of the limitations of these channels when a patient initiates electronic communication.
(d) Obtain the patient’s consent to continue electronic communication when a patient initiates electronic communication.
(e) Present medical information in a manner that meets professional standards. Diagnostic or therapeutic services must conform to accepted clinical standards.
(f) Be aware of relevant laws that determine when a patient-physician relationship has been established.

For Providers and Their Patients, a Big Leap Forward

Healthcare professionals should welcome the AMA’s efforts to advance communications between patients and their providers. Text and email can be used to improve the patient experience, inform patients of their rights, remind them of important appointments, deliver treatment plans, follow up with recommendations, and even establish a lifeline between patients and physicians.
Today’s patients appreciate and deserve the opportunity to communicate with providers using a variety of methods. The AMA’s recognition of this fact, and the framework it has provided for healthcare-related electronic communications, is a major win for all involved.

Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

Info and Insights You Won't Want to Miss

Here on the OS Blog, we aim to give you just the right mix of high-level views, tactics, and tools you can use to optimize your collection operations and results. Subscribe today for a steady stream of practical, empowering content delivered to your inbox weekly.

Are You Ready to Text?

Take charge of compliance and start texting with confidence. This free eBook explains how.

Posted by Rozanne Andersen

Rozanne Andersen, J.D., serves as Ontario Systems’ Vice President and Chief Compliance Officer. She is responsible for leading Ontario Systems’ corporate efforts and response to the CFPB’s launch of compliance examinations in the ARM industry. Rozanne's advocacy work on behalf of the credit and collection industry has resulted in landmark legislation and regulation at both the state level and the federal level with regard to the FDCPA, FCRA and HIPAA. In 2020, Rozanne was named Chief Compliance Officer of the Year (Large Company) by the international Women in Compliance Network.
All Posts