You may be accustomed to hearing about the massive PHI breach instances that affect large healthcare systems, but they aren’t the only HIPAA violations that occur. In reality, small breaches take place every day often involving texts or emails that aren’t sent securely or that end up going to the wrong place.
Communicating with patients over text or email may make life easy, and can be completely safe if you follow a few key tips. Avoid a PHI breach at your practice with three essential strategies.
1. Avoid PHI in Email Subject Lines
If you use email to communicate with patients, it’s very important to ensure that those emails are encrypted. If you send attachments over email, those must also be encrypted. But one thing that often cannot be encrypted — even if you’re using third-party encryption software — is the email subject line.
Therefore, you should never place protected health information in the subject line of your email. Instead, you should use a term in the subject line that lets patients know that the email is encrypted, such as “Secure mail” or “Encrypted email.” Your third-party service may tell you a specific term to use in the subject line to ensure that the emails are indeed encrypted.
You should also have signed business associate agreements in place with your email providers and with any third-party software providers that you’ll be working with to encrypt your emails. Patients should also sign authorizations allowing you to communicate with them via email.
2. Encrypt Your Texts
Many practices believe that it’s impossible to encrypt texts, but you actually can do this if you use third-party apps. These software options allow you to enable text encryption, but it is up to your practice to ensure that the apps are HIPAA-compliant. If a breach is discovered, the ensuing penalties will fall onto your practice and not the app maker.
Have patients sign authorizations allowing you to text them, and ensure you send a sample text to confirm you’ve got the right number. In addition, you must allow patients to have a way to disable texts from you at any time, typically by texting the word STOP to your practice.
3. Use the Patient Portal
Outside of face-to-face conversations or phone calls, the safest way to communicate with patients is through the patient portal. Not only is it secure and encrypted, but it also ensures that those communications are integrated into the medical record, so you don’t have to worry about recording the information in the patient’s record after the fact.
Ensure that your texts and emails are completely HIPAA-compliant so you can avoid penalties and fines. Let legal expert Iliana Peters, JD, LLM, CISSP walk you through the ropes during her online training, NEW HIPAA Compliant Texting Guidance: Avoid Audits & Penalties. Register today!
 | Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. | |
| |