Can I Text My Patients? FAQs – Emails and Texts

By Carrie Lowe, JD

2018 Alliance sponsor feature article courtesy of MagMutual

Can I text or email my patients?

Yes, healthcare providers can communicate with patients via text messages, but only if:

1. The communication is encrypted or sent via a secure messaging system, or
2. The patient is warned beforehand regarding the risk associated with unencrypted communication and the patient still prefers to communicate via unsecured text or email.

If a provider sends an email or text message that is encrypted or sent over a secure messaging system, such as a secure patient portal, the message may include protected health information (PHI). The Department of Health & Human Services (HHS), in its Guide to Privacy and Security of Electronic Health Information, points out that if a provider uses an EHR system that is certified under ONC’s 2014 Certification Rule, the EHR should have the capability to allow patients to communicate through a secure patient portal. However, patients may want information sent via text to their phone or personal email account, which is not secure or encrypted, rather than going to a portal.

Patients have a right to receive communications (including PHI) from the provider by alternative means, such as email or text.[i] However, it is incumbent upon the healthcare provider to inform the patient, in writing, of the risk of unintentional disclosure to a third party of PHI if sent in an unsecure manner. If the patient, after being informed of the risks, chooses to communicate via unsecured means, the patient has that right. This can be done by discussing these risks with the patient and having the patient sign a consent form acknowledging that he or she understands the risk.

In the Final Omnibus Rule, the HHS Office for Civil Rights (OCR) states that covered entities are not required to educate individuals about encryption and information security, but must notify the patient that there is a risk that the information in the email could be read by a third party. “If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request.” [ii]

What if a patient sends an unsolicited text to me?

When a patient initiates communication with a provider by email or a text message, the provider can assume that email or text is an acceptable form of communication to the patient. A patient may send health information to a healthcare provider using an unsecure email or text. Once this health information is received by the provider, however, it becomes PHI. At that point the PHI must be safeguarded and any texts back to the patient must be sent via a secure messaging system, encrypted, or the patient must have been previously warned in writing of the risk, with supporting documentation that shows that the patient accepted the risk.

Can I send texts regarding patient care to other healthcare providers?

Yes, you can send PHI to other healthcare providers, but only if the information is sent via a secure messaging system or is encrypted.

Can I text orders to members of the healthcare team?

No, CMS and the Joint Commission explicitly prohibit healthcare providers from texting orders. In addition to the privacy and security concerns discussed above, there is concern that the information may be lost or compromised if it has to be manually entered into the medical record from a text message. Other healthcare providers will not have access to the order if it is not in the medical record, which could affect patient care. The medical record must contain all information upon which treatment decisions are based, and patients have the right to access this information pursuant to HIPAA. The recent CMS Memorandum can be found here.
[i] 45 C.F.R. 164.522(b)

[ii] 78 Fed. Reg. 5634