Is your communication with patients HIPAA-compliant?

May 21, 2018

Increasingly, patients are looking for fast, easy ways to communicate with their allergists – and for their allergists to communicate with them. Email, texts and patient portals are in, and long waits on hold via phone are out. But are you sure you’re using these technologies in a HIPAA-compliant manner? The good news is that HIPAA doesn’t prohibit the use of email or texts – but it does require that you put safeguards in place when using them. Here’s what you need to know:

Patient Portals

  • This is the gold standard for communicating with patients electronically. Portals are HIPAA-compliant, patient information is secure, and all communication is documented in your EHR. Using a patient portal is your best option to communicate safely with patients. 
  • If you have a patient portal, encourage all patients to sign up at registration. Let them know it’s the fastest and best way to communicate with your office.


  • Regular email is not secure; it’s possible that information included in an email can be intercepted and read by a third party.
  • However, if a patient initiates email communication with your office, you can assume email communication is acceptable to the patient (unless they specify otherwise). So, it’s HIPAA-compliant to email back – as long as you take steps to protect information shared over open networks.
    • Use in a limited fashion and avoid highly sensitive information.
    • Include a privacy statement in the body of the email. Here’s a sample statement, but we encourage you to check with your attorney before implementing a privacy statement: “This email, and any files or attachments transmitted with it, contains information that is confidential and proprietary. This information is intended only for the use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing, or use of this information is strictly prohibited and possibly a violation of federal or state law. If you have received this information in error, please notify ABC Allergy & Asthma immediately at 111-111-1111 or via email to the sender.”
  • If you or your office initiates email communication to a patient, it must be encrypted.
    "Giving patients your cell number creates another set of risks, opening providers up to getting texts at any time."
    • Verify the patient’s address first (send a test email and request a reply).
    • Research your email system and determine how to send an encrypted message.
  • Don’t use internal practice email for patient care until you confirm it’s secure. If your internal email is cloud-based, or even if it’s server-based but staff accesses it on their phones, it is not secure. In most cases you are better off using your EHR for internal patient-related electronic communications, as it remains secure and part of the patient record.
  • Keep in mind that any email communication with patients is part of the medical record and must be scanned into the patient’s chart. For this reason alone, you may want to discourage regular email communication – and steer patients to your portal instead.


  • Regular texts are not secure. Office-initiated text communications to patients must be encrypted to be HIPAA-compliant. There are several encryption text services and/or apps available to medical practices. Patients particularly like texts as an appointment reminder option, so consider a secure way of providing that.
  • Like email, if a patient somehow gets your cell phone number and initiates communication with your office via text, it’s HIPAA-compliant to text back. But it’s not encouraged! Texting is riskier than email, since phones are easy to lose or steal. And again, any texts related to patient care need to be added to the patient’s chart.
  • Bradley Dykstra, HIPAA Compliance Office for Atlanta Allergy & Asthma, strongly discourages texting medical information. “If a text isn’t entered into the patient’s chart, it leaves the practice open to safety issues and medical malpractice risk. It allows the patient to go outside the norms of communication with the practice. Finally, giving patients your cell number creates another set of risks, opening providers up to getting texts at any time,” he explains.

For more information about HIPAA and other compliance requirements, check out our recently updated Risk and Compliance Toolkit. In this day and age, it can be tricky to communicate electronically with patients in a HIPAA-compliant manner. But if you follow our advice, you’ll keep your patients happy and their data secure.