Emails, texts, and HIPAA: 7 rules every dentist needs to know
While you may think your dental practice is following all HIPAA rules, is it really? Check these seven rules from an attorney who has represented dental practices who have missed something regarding HIPAA, and paid for it.
If you’re a dentist, you know about HIPAA. You know that HIPAA creates rules and restrictions on the way you keep, use, and disclose patient information. However, many dentists don’t realize that HIPAA also restricts the way they and their staff can use email and text messages to communicate with patients and other providers about patients.
HIPAA applies to emails and text messages
HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening.
HIPAA doesn’t completely prohibit using emails and texts to communicate with patients or other providers about patients. But HIPAA does require dentists to use security measures when doing so, such as encryption or secure messaging platforms. Alternatively, dentists need to obtain consent from patients to send protected information via unsecured email or text. Sending protected information over unsecured emails or texts without a patient’s consent can violate HIPAA.
Why should dentists care about this?
Failing to comply with HIPAA can have severe consequences. If protected health information is used or disclosed in a way that does not comply with HIPAA, a dentist may need to give notice of the impermissible use to the affected individuals, the federal government, and, if more than 500 individuals are affected, the media. The federal government has stepped up HIPAA enforcement, conducting more compliance audits and seeking more financial penalties from HIPAA violators.
What does this mean?
Dentists and their staff need to know and follow the rules with emails and texts to remain HIPAA compliant. Before getting to the rules, here’s some terminology:
First, HIPAA applies to the storage, use, and disclosure of a patient’s individually identifiable health information, which HIPAA calls protected health information (PHI). PHI is generally defined as any information about a patient,—name, demographic information, past, present, or future physical or mental health condition, treatment, x-rays, pictures, and payment information—that can reasonably be linked to a specific, identifiable individual.
Second, “password protected” is not the same as “secure” or “encrypted.” To understand the difference, think of a padlock and a code. A padlock (like a password) protects against unauthorized access. But once a person unlocks the padlock (gets past the password), the person can see and make sense of everything inside. Encryption, on the other hand, is like a code. The information gets jumbled so it cannot be used or understood by a person who sees unless that person has the “key” to decode the jumble (the “encryption key”).
What are the rules for emails and texts?
1. Emails to others inside the same practice—Most practices have a secure server and network, and emails between people inside the same practice, even if located in different offices, are sent over the secure server and network. If an email is sent to another person inside the same practice over a secure server and network, the email can include a patient’s PHI and does not need to be encrypted. However, if the in-practice email is not being sent over a secure server (e.g., if the practice uses Gmail or another web-based email service), the email should not include information about a patient that can be linked to a specific, identifiable individual.
2. Emails to persons outside the practice (other than the patient)—Emails to people outside the practice other than the patient should not include a patient’s PHI unless the email is encrypted or sent via a secure messaging system. This generally means that dentists should not use emails to communicate with other providers about an identifiable patient unless special security measures are taken.
3. Emails to personal email accounts—Emails from a work email account to a personal email account should not include PHI or attach patient records or other documents with PHI. If work needs to get done from home, consider using a secure remote connection (such as GoToMyPC) to connect from home, or take the minimal amount of needed information home on an encrypted flash drive.
4. Text messages to persons other than the patient—Unless a provider or practice has a secure text messaging platform, text messages are not secure or encrypted. They are easily intercepted, often sent to an incorrect number, and usually stored indefinitely on third-party devices, such as the wireless carrier’s servers. Thus, text messages should not include a patient’s PHI. This is true even for texts to staff or other providers inside the same practice; these should not include identifiable patient information.
5. Emails and texts to patients—More patients want their dentists to communicate with them by email or text. Dentists who want to do so must do one of two things. Option one is to use an email or text messaging system that encrypts messages or requires patient login, such as a patient portal. If a secure messaging system is used, messages sent to a patient can include PHI.
Option two is to obtain the patient’s consent for using unencrypted email or text messages to communicate with the patient. This is after advising the patient of the risks of doing so, including the risk that the message could be read by a third-party. A good way to do this is by giving the patient a well-written consent form as part of his or her new patient paperwork, or to existing patients at their next visit. If a patient consents to the use of unsecured emails and texts after being properly warned, a dentist may communicate protected PHI to the patient in that way.
6. Emails and texts from patients—The above rules do not apply to emails or texts sent by a patient. HIPAA applies to health-care providers (and other “covered entities”), not patients. Patients can use unencrypted emails and texts to communicate with providers.
If a patient initiates an unsecure email or text and sends it to his or her health-care provider, the Health and Human Services Office of Civil Rights (OCR), which enforces HIPAA, explains that the provider may assume that using unsecure emails or texts are acceptable to the patient, unless the patient has explicitly stated otherwise. However, OCR has also advised that if the provider believes the patient might not understand the risks of using unencrypted email or texts or if the provider has concerns about potential liability, the provider may want to alert the patient of those risks and let him or her decide whether to continue with unencrypted email and text communications. So, if a dentist doesn’t have a signed consent and preference form from the patient, the dentist may want to get one before replying via unsecured email or text.
7. Email confidentiality notices and disclaimers—There’s a myth that including a confidentiality notice or disclaimer in an email makes the email compliant with HIPAA and allows a dentist to send PHI via unencrypted or unsecure email. The myth is false. Even the best-worded notice or disclaimer will not make an unencrypted email comply with HIPAA. The rules here still apply.
Best practice: Get consent and preference forms from all patients
All dental offices, even those that use encryption or secure messaging systems, should consider having all patients complete an email and text message consent and preference form that confirms their preferences about emails and texts. Doing so would allow dentists to communicate with their patients consistent with their desires. It would also give patients a chance to consent to the use of unencrypted emails or texts.
Consent forms would also help dentists with another significant hazard that comes with calling or texting a patient’s cell phone—the Telephone Consumer Protection Act (TCPA). TCPA is the federal law that protects consumers from unwanted telephone calls and faxes. TCPA prohibits making auto-dialed and pre-recorded calls and texts to cell phones (e.g., auto-generated appointment reminders) without the prior express consent of the called or texted party. Sanctions for violating the TCPA can be huge—$500 per violation (per call or text message).
For all of these reasons, having every patient review and sign a well-written consent and preference form, and then following the patient’s preferences, is a good idea that will keep your dental practice HIPAA compliant.