How to ensure that EHR communications are HIPAA compliant
While HIPAA does not prohibit communication in the form of email and text messaging, there are certain precautions that must be followed to ensure compliance and patient privacy. The Department of Health and Human Services states that “the Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”
Because any protected health information sent this way becomes electronic protected health information (ePHI), the same message also has to satisfy the technical safeguards in the HIPAA Security Rule at 45 C.F.R. Part 164, Subpart C; the Privacy Rule sets the permission to communicate electronically, and the Security Rule sets the standard for protecting the message itself.
Under the Privacy Rule, a patient can request that a provider communicate with him by an alternative means, including email. If unencrypted email isn't sufficient, the provider should offer alternatives such as mail, telephone, or encrypted messaging. If a patient initiates contact by email, the provider can assume email is acceptable unless told otherwise. Providers should keep in mind that email security cannot be guaranteed once a message leaves the server, and a patient can share information he receives as he chooses.
The patient must consent to contact by email or text messaging and be informed of the privacy risks. Many practices use a written consent form, including a security disclaimer, which can be kept in the patient's medical record for ongoing consent.
In EHR patient portals, where much electronic communication occurs, systems should force password updates at regular intervals and log users out automatically after a period of inactivity, in line with the HIPAA Security Rule's technical safeguards, in order to ensure EHR security.:
HIPAA security best practices for EHR messaging
Reasonable safeguards to keep your EHR patient portal HIPAA-compliant include:
- Avoidance of unintentional disclosures: The provider must check and re-check an email address or phone number for accuracy. Additionally, they may send an email alert to the patient before sending a message.
- Limiting the amount or type of information disclosed: Identifying information should not be used in a subject line of an email. Limit this information in the body of the message as well. These include the patient name, initials, record number, birth date, Social Security number, address, phone number, insurance information, dates of service, and photographs of the face. Additionally, sensitive medical information should not be sent via email. This includes certain diagnoses such as HIV/AIDS, mental health disorders, substance use disorders, and abuse.
- Including a privacy disclaimer: In emails, there should be a patient privacy disclaimer at the bottom of all communications. This may appear as: The information contained in this communication may contain confidential and private information, which is protected by HIPAA. This message is only intended for the person named above. If you are not the intended recipient, please inform the sender by email and destroy any copies of the original message. The review, duplication and/or distribution of this information is strictly prohibited.
Final thoughts
Providers must be careful about what information is sent electronically. Remember that this communication, and any patient data included in it, is part of their medical record.
Any type of personal or sensitive information should be left for in-person, telephone or written communication in order to ensure privacy and confidentiality.
HHS proposed updates to the HIPAA Security Rule in January 2025 to strengthen ePHI cybersecurity requirements, so practices should revisit their email and portal messaging safeguards periodically to confirm they still meet current HIPAA requirements.
Free white paper
EHR Vendor Directory
Get the most up-to-date directory of EHR software vendors. Find the best software for your practice.
Related articles
-
The important features of EHR in HIPAA compliant medical billing
Gaining HIPAA compliance in your medical billing can be challenge, but the correct EHR can make t...
-
Introducing "Actions": The AI-Powered Tool That’s Transforming Primary Care Workflows
70% of clinicians are reporting better focus & engagement with their patients thanks to Elation H...
-
How to conduct a thorough EHR audit
When to conduct an EHR audit, and what your practice should bear in mind whilst doing so