Guidelines for Communicating with Patients via Text

Executive Summary 

Healthcare providers may communicate with patients through encrypted or secure messaging systems. They also may communicate with patients through text or emails if the patient accepts the risks of unencrypted communication. Providers need to be aware of guidelines regarding sending texts to patients and ensure that they follow them, particularly when it comes to protected health information. 

Recommended Actions  

• Consider utilizing an encrypted messaging system to communicate with patients and other providers. 
• If communicating via unsecured text or email, inform patients of the risk of unintentional disclosure of PHI to a third party and have the patient sign a consent form. 
•  If a patient sends a healthcare provider unsolicited PHI through text or email, respond via a secure messaging system or encryption; otherwise, the patient must have been previously accepted the risk of unencrypted communication. 

Can I text or email my patients? 

Yes, healthcare providers can communicate with patients via text messages, but only if: 

1. The communication is encrypted or sent via a secure messaging system, or 
2. The patient is warned beforehand regarding the risk associated with unencrypted communication and the patient still prefers to communicate via unsecured text or email. 

If a provider sends an email or text message that is encrypted or sent over a secure messaging system, such as a secure patient portal, the message may include protected health information (PHI). The Department of Health & Human Services (HHS), in its Guide to Privacy and Security of Electronic Health Information, points out that if a provider uses an EHR system certified under ONC’s 2014 Certification Rule, the EHR should have the capability to allow patients to communicate through a secure patient portal. However, patients may want information sent via text to their phone or personal email account, which is not secure or encrypted, rather than going to a portal. 

Patients have a right to receive communications (including PHI) from the provider by alternative means, such as email or text.1 However, it is incumbent upon the healthcare provider to inform the patient in writing of the risk of unintentional disclosure to a third party of PHI if sent in an unsecure manner. If the patient, after being informed of the risks, chooses to communicate via unsecured means, the patient has that right. This can be done by discussing these risks with the patient and having the patient sign a consent form acknowledging that he or she understands the risk. 

The HHS Office for Civil Rights (OCR) states that covered entities are not required to educate individuals about encryption and information security, but must notify the patient that there is a risk that the information in the email could be read by a third party. “If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request,” the guidelines state.2 

What if a patient sends an unsolicited text to me? 

When a patient initiates communication with a provider by email or text message, the provider can assume that email or text is an acceptable form of communication to the patient. A patient may send health information to a healthcare provider using an unsecure email or text. Once this health information is received by the provider, however, it becomes PHI. At that point the PHI must be safeguarded and any texts back to the patient must be sent via a secure messaging system, encrypted, or the patient must have been previously warned in writing of the risk, with supporting documentation that shows that the patient accepted the risk.  

Can I send texts regarding patient care to other healthcare providers? 

Yes, you can send PHI to other healthcare providers, but only if the information is sent via a secure messaging system or is encrypted. 

Can I text orders to members of the healthcare team? 

No, CMS and the Joint Commission explicitly prohibit healthcare providers from texting orders. In addition to the privacy and security concerns discussed above, there is concern that the information may be lost or compromised if it has to be manually entered into the medical record from a text message. Other healthcare providers will not have access to the order if it is not in the medical record, which could affect patient care. The medical record must contain all information upon which treatment decisions are based, and patients have the right to access this information pursuant to HIPAA. The recent CMS Memorandum can be found here. 

Lessons Learned  

• Before implementing a new patient communication platform, confirm that the system is encrypted, safe from cybersecurity attacks or otherwise offers protection for each communication.  
• Confirm that a patient had agreed and signed a consent form for disclosure before responding to an unsolicited email or text message containing PHI. 
• Maintain patient communications within patient records to ensure that all PHI and relevant health information is accessible for their treatment. 

Potential Damages 

Healthcare organizations that fail to send PHI through a safe and secure platform run the risk of HIPAA violations and face financial penalties. Although HIPAA violations for unsecure patient communications are relatively infrequent, violations can add up to costly expenses.