How to ensure that EHR communications are HIPAA compliant

While HIPAA does not prohibit communication in the form of email and text messaging, there are certain precautions that must be followed to ensure compliance and patient privacy. The Department of Health and Human Services states that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”

Under the Privacy Rule, the patient has a right to request that a provider communicate with him under alternative means. This can include email. If an unencrypted email is not sufficient, the provider should offer other alternative means such as mail or telephone, or electronically with encrypted messaging. Additionally, if a patient initiates communication with her provider using email, the health care provider can assume that email communication is acceptable to the patient, unless he has otherwise indicated. Providers must realize that it is difficult for a provider to ensure security of an email once it leaves the server. Once a patient receives a piece of information, he can share this information as he pleases.

Recommended reading: find EHR vendors offering a high level of patient data security in their patient portals using our completely up-to-date EHR vendor directory

It is important that the patient give consent for contact by email or text messaging. They should be informed of any privacy issues. Many practices utilize a written consent form for electronic messaging, including a disclaimer regarding security risks for electronic messaging. Once a patient signs this form, it can be kept in his medical record for ongoing consent. In EHR patient portals, where much electronic communication occurs, systems should force updating passwords at regular intervals in order to ensure security.

Reasonable safeguards to keep electronic messaging using your EHR patient portal HIPAA-compliant include:

Avoidance of unintentional disclosures

The provider must check and re-check an email address or phone number for accuracy. Additionally, they may send an email alert to patient prior to sending a message.

Limiting the amount or type of information disclosed

Identifying information should not be used in a subject line of an email. Limit this information in the body of the message as well. These include the patient name, initials, record number, birth date, social security number, address, phone number, insurance information, dates of service, and photographs of the face. Additionally, sensitive medical information should not be sent via email. This includes certain diagnoses such as HIV/AIDS, mental health disorders, substance abuse and abuse.

Including a privacy disclaimer

In emails there should be a patient privacy disclaimer at the bottom of all communications. This may appear as: The information contained in this communication may contain confidential and private information, which is protected by HIPAA. This message is only intended for the name listed above. If you are not the intended recipient, please inform the sender by email and destroy any copies of the original message. The review, duplication and/or distribution of this information is strictly prohibited.

Providers must be careful about what information is sent electronically. Remember that this communication, and any patient data included in it, is part of their medical record. Any type of personal or sensitive information should be left for in person, telephone or written communication in order to ensure privacy and confidentiality.