Updated May 20, 2019
Sending texts and emails is a part of everyday life. Most organizations use one or both to communicate inside the organization and with clients. But when you handle electronic protected health information (ePHI), texting and emailing may be risky.
Regardless, 73% of healthcare professionals use text messaging to send ePHI, and 98% rely on email to communicate internally and externally. Texts and emails are easy and convenient, but are they legal?
Is Texting/Emailing Patient Information Ever OK?
Texting or emailing patient information is a legal gray area in many cases. HIPAA requires you to securely transmit and store ePHI, and texts/emails are often unsecured. However, there’s a loophole. You can text or email patient information if you gain the patient’s consent.
As a HIPAA covered organization or business associate, you must enter into an agreement with the patient whose data will be transmitted. To establish mutual consent, you must:
- Inform the patient of the security risks of texting/emailing and recommend a secure option
- Obtain the patient’s written consent to unsecured communication
- Keep record of all “mutual consent” cases, including the content of the risk warnings and the patient’s written approval
Be careful when using this loophole. Seek the advice of an attorney well versed in HIPAA before sending any unsecured texts or emails.
When you conduct a risk analysis, you must take into account all ePHI, including ePHI sent via text or email. Your risk analysis should consider:
- What ePHI is being transmitted
- How the ePHI is being transmitted
- Which devices are permitted to send ePHI
Furthermore, if your organization has a Bring Your Own Device (BYOD) policy, and employees use their personal devices to send ePHI, you must take note of these devices.
A risk analysis is supposed to bring to light any situation that threatens the security and privacy of ePHI. Using text and email might increase your risk. However, there are many secure messaging alternatives on the market, so you can easily avoid a potential compromise.
However, The Centers for Medicare & Medicaid Services (CMS) and The Joint Commission forbid healthcare providers to text patient orders. Why? CMS considers texting patient orders to be out of compliance with several Conditions of Participation and Conditions of Coverage, namely the retention of record and content of record requirements.
If your organization participates in Medicare, you must maintain records in their original or legally reproduced form. You can’t record or reproduce texts in the same way as other communication. Furthermore, other messaging platforms also struggle with this requirement. Make sure the system you use meets both HIPAA and CMS standards.