Remaining HIPAA Compliant While Utilizing Electronic Communication in Healthcare
Technological advancements in electronic communication, primarily emails and SMS (Short
Message Service) text messages have not only changed the way communications are received,
but how business is done. From major corporations to small companies, emails and text
messages have innovated marketing in industries across the board. Healthcare providers are
now turning to these forms of communication as a way not only to remind their patients are
upcoming appointments, but to engage in research studies, medical condition management and
advertising. With healthcare’s growing integration of text messaging and emails in their services,
there has also been concern of HIPAA (Health Insurance Portability and Accountability Act)
Privacy Rule compliance. In the following document HIPPA compliance in relation to these
forms of communication (email and text messaging) will be discussed.
What is HIPPA?
HIPPA or the Health Insurance Portability and Accountability Act was enacted in 1996 by
Congress to provide individuals security for the privacy of their health information and limit the
opportunities for this information to be unnecessarily disclosed. The rules cover PHI (Protected
Health Information) which includes:
The person’s physical/mental health condition currently, in the past or in the future.
The person’s current, past and future healthcare payment amount and type.
Any identifying information such as name, date of birth, Social Security and address.
How is HIPAA compliance maintained?
To maintain HIPPA compliance healthcare providers must uphold certain best practices to
safeguard PHI, such as:
Limit who can view and access PHI as well as have in place protocols and programs to
protect the information.
Engage in administrative, technical and physical best practices to limit information
disclosure.
What does this mean for electronic communication?
When HIPAA was created in 1996, electronic communication was not as common as it has
become over a decade later. The original act was not created with these forms of
communication in mind and has not been modified to distinctly reflect these trends since. As
these mediums rise in popularity, a certain level of ambiguity still remains when discussing
HIPAA’s position on this subject and is still in many cases up to the provider’s discretion and
best judgment. That being said, precautions still need to be upheld to protect the individual and
fulfill basic HIPAA regulations.
Under the Privacy Rule, individuals have to right to approve or deny a health care provider’s
alternative communication method (i.e. email and text messaging). If an individual (patient)
initiates the communication with the provider through electronic means, the provider can
assume that electronic communications are acceptable to the individual. The provider also has
the right inform the individual of the possible risks of electronic communication and let them
decide whether or not to continue receiving them.
The key in both situations is to limit risk of sensitive PHI being released. Providers need to
protect themselves by 1) limiting the amount of PHI in the message 2) confirming the phone
number or email of individual 3) encrypting the data if possible.
Both emails and text messages propose the risk of having the message sent to the wrong
person or be intercepted while en route. Phone numbers and emails should always be
confirmed before any PHI is sent. While encryption seems like an ideal way to ensure privacy,
newer iPhones and Android smart phone devices do not support encrypted text messages and
third party applications may need to be enabled for individuals to receive encrypted emails.
Privacy statements should be included informing the recipient of the potential risk of email or
text message communication and who to contact if this message was sent to the work address
or number.
For more information visit http://www.callfire.com