Can I Text or Email Patient Information?


Updated May 20, 2019

Sending texts and emails is a part of everyday life. Most organizations use one or both to communicate inside the organization and with clients. But when you handle electronic protected health information (ePHI), texting and emailing may be risky.

Regardless, 73% of healthcare professionals use text messaging to send ePHI, and 98% rely on email to communicate internally and externally. Texts and emails are easy and convenient, but are they legal?

Is Texting/Emailing Patient Information Ever OK?

Texting or emailing patient information is a legal gray area in many cases. HIPAA requires you to securely transmit and store ePHI, and texts/emails are often unsecured. However, there’s a loophole. You can text or email patient information if you gain the patient’s consent.

As a HIPAA covered organization or business associate, you must enter into an agreement with the patient whose data will be transmitted. To establish mutual consent, you must:

  • Inform the patient of the security risks of texting/emailing and recommend a secure option
  • Obtain the patient’s written consent to unsecured communication
  • Keep record of all “mutual consent” cases, including the content of the risk warnings and the patient’s written approval

Be careful when using this loophole. Seek the advice of an attorney well versed in HIPAA before sending any unsecured texts or emails.

Risk Analysis

When you conduct a risk analysis, you must take into account all ePHI, including ePHI sent via text or email. Your risk analysis should consider:

  • What ePHI is being transmitted
  • How the ePHI is being transmitted
  • Which devices are permitted to send ePHI

Furthermore, if your organization has a Bring Your Own Device (BYOD) policy, and employees use their personal devices to send ePHI, you must take note of these devices.

A risk analysis is supposed to bring to light any situation that threatens the security and privacy of ePHI. Using text and email might increase your risk. However, there are many secure messaging alternatives on the market, so you can easily avoid a potential compromise.


However, The Centers for Medicare & Medicaid Services (CMS) and The Joint Commission forbid healthcare providers to text patient orders. Why? CMS considers texting patient orders to be out of compliance with several Conditions of Participation and Conditions of Coverage, namely the retention of record and content of record requirements.

If your organization participates in Medicare, you must maintain records in their original or legally reproduced form. You can’t record or reproduce texts in the same way as other communication. Furthermore, other messaging platforms also struggle with this requirement. Make sure the system you use meets both HIPAA and CMS standards.

Need More Guidance? Grab Our PHI Decision Tree!

This simple cheat sheet makes it easy to recognize every time you’re interacting with protected health information.

Decision Tree Preview

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »