Emailing and Texting Under HIPAA

April, 2025 HIPAA

Email and text messaging have become integral to healthcare operations. Whether sending lab results, appointment reminders, or communicating with patients and staff, electronic messaging has become commonplace and expected. However, healthcare providers must still exercise caution when it comes to electronic messaging. Specifically, these communications must comply with ​​the Health Insurance Portability and Accountability Act (HIPAA). Emailing or texting without proper safeguards can result in serious legal and financial consequences.

HIPAA Requirements

HIPAA imposes strict privacy and security requirements to keep protected health information (PHI) secure. HIPAA regulations are primarily governed by two key components: the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for the use and disclosure of PHI by covered entities and business associates, restricting the sharing of PHI without patient consent and requiring organizations to implement policies that protect patient privacy. The Security Rule focuses specifically on electronic PHI (ePHI), setting forth administrative, physical, and technical safeguards such as encryption, secure access controls, audit trails, and regular risk assessments to prevent unauthorized access, data breaches, and loss of sensitive information.

Electronic Messaging and HIPAA

Email and texting are not inherently noncompliant with HIPAA; however, healthcare providers can run afoul of HIPAA if they are not careful. Common risks associated with electronic communication include unencrypted messages that may be intercepted during transmission, lost or stolen mobile devices containing unsecured access to PHI, and accidental disclosures to unintended recipients. Additionally, messages sent over unsecured networks, such as public Wi-Fi, are vulnerable to unauthorized access. Sending a message to the wrong patient or transmitting PHI without encryption can lead to HIPAA breach investigations, substantial financial penalties, and reputational harm.

Only text messages sent by a covered entity or a business associate acting on their behalf can potentially violate HIPAA. However, before concluding that a text message breaches HIPAA, it is important to assess the content to determine if it includes PHI. For instance, sending appointment reminders via text is generally permitted as long as the message does not include health, treatment, or payment details, and any identifying information is kept in a separate dataset.

Even if a covered entity or business associate has implemented all necessary safeguards to ensure HIPAA-compliant email communications, they must still adhere to the breach notification requirements. Notifications must be sent via first-class mail unless the individual has specifically consented to receive electronic notifications. If an individual has opted in to receive email communications, the consent document should clearly state that the consent includes electronic notifications. Failing to include this language or sending notification emails to individuals who have not consented could be considered a HIPAA violation.

What If The Patient Initiates Contact Through Electronic Messaging?

Sometimes, a patient might electronically message a healthcare entity. The rules governing emails and texts apply to communications sent by a covered entity to patients, not the other way around. If a patient sends health information via unsecured email or text, that information only becomes protected under HIPAA once the covered entity receives it. Additionally, if a patient initiates communication with a provider via email, the provider can generally assume that email is an acceptable method unless the patient indicates otherwise. If the provider is concerned about the risks of unencrypted email or potential liability, they can inform the patient about these risks and allow the patient to decide whether to proceed.

How To Ensure HIPAA Compliance With Electronic Messaging

Electronic messaging can be compliant with HIPAA. It is important to have procedures and policies in place to ensure that the electronic messaging that your organization uses does not violate HIPAA. 

Healthcare organizations must establish clear guidelines regarding electronic communication. These policies should address the acceptable use of electronic messaging within the organization. The policies should address the security measures that must be in place. The organization should also set clear expectations for how staff should respond to patient requests for secure communications, specifying that patients can opt for more secure methods, such as encrypted emails, patient portals, or phone calls, if they are concerned about the security of email or text messages. The protocols should include specific steps for handling any breaches. 

Before communicating with patients via text or email, it is essential to obtain their written consent. This consent should outline the types of information that may be shared. The consent form should provide the patient with the option to opt out of electronic communications at any time and include instructions on how to do so.

Protect e-PHI by encrypting it or using other appropriate security measures. It is essential to choose communication methods that comply with the Security Rule, such as email systems that encrypt messages or patient portals requiring secure logins.

If the communication method is not secure or the e-PHI is not encrypted, a covered entity may still use email or text to communicate with patients, but it must first inform the patient. They only need to notify the patient that there is some risk of unauthorized access by a third party. If the patient acknowledges the risk and still chooses unencrypted email, the covered entity is not liable for unauthorized access during transmission based on the patient’s request.

It is crucial to document requests for confidential communications and authorizations for otherwise prohibited disclosures of PHI via text and to keep that documentation current. Failing to track the status of these requests and authorizations could lead to a workforce member unintentionally violating HIPAA by texting after a request has been modified or an authorization revoked.

Contact a HIPAA Compliance Attorney

Text and email communications with patients will be an integral part of medical practice from now on. However, electronic messaging can raise concerns with healthcare providers about HIPAA compliance. Consulting with a HIPAA compliance attorney can provide valuable guidance and support. They can help you understand the specific requirements for protecting patient information, advise on permissible communications, and ensure your practices align with federal regulations to minimize the risk of violations.