by Tomi K. Hagan, Walter E. Johnson, and Frank Ruelas
HIPAA rules for unencrypted
email and text messages
» Text or email communications may or may not fall under HIPAA provisions.
» Consider the Privacy Rule and Security Rule when communicating to patients by text or email.
» Patients have requirements to fulfill and options to consider when requesting to receive text or email communications.
» Covered entities have an option to send encrypted or unencrypted communications to patients.
» Common pitfalls exist for covered entities that communicate to patients by text or email.
Tomi K. Hagan (t hagan@QHR.com) is a Senior Consultant of Compliance at Quorum
Health Resources in Brentwood, TN. Walter E. Johnson (w email@example.com) is
the Director of Compliance and Ethics at Kforce Government Solutions, Inc. in Fairfax, VA.
Frank Ruelas (f firstname.lastname@example.org) is a Facility Compliance Professional
with Dignity Health in Phoenix, AZ.
At the 2017 HCCA Compliance Institute, representatives of the Office for Civil Rights (OCR) addressed
an individual’s right to access his/her protected health information (PHI) and focused
attention on a very important topic that compliance professionals would do well to become
familiar with that includes the use of texting
and emailing to patients. Specifically, this
article focuses on the sending of unencrypted
emails and text messages to individuals. As
we explore the do’s and don’ts of the practice
of texting and emailing in an unencrypted
manner, we must first distinguish very
clearly the nature of the message involved
and its relevancy to the HIPAA Privacy and
Does the communication include PHI?
This may sound like a very basic and
simple question, but one that, with a
little thought, gives us cause to pause
as we look into the use of email and
texting and how these may or may
not be related to the Health Insurance
Portability and Accountability Act
(HIPAA) regulations. For example, if
the unencrypted emails and texted
messages do not contain PHI, then
this essentially negates the HIPAA
requirements, because if there is no
PHI, then HIPAA would not apply.
This may sound somewhat easy
and straightforward, but it may be a
bit more involved when one considers
how a message sent from a covered
entity to an individual might be
somewhat meaningless without any
PHI involved. In addition to HIPAA,
it is noteworthy to mention that the
covered entity may have policies and
procedures associated with the use of
email and texting to individuals that
the compliance professional (HIPAA
8/29/17 1:41 PM