I recently wrote about email and text guidelines the American Medical Association (AMA) set forth to help healthcare providers ensure their electronic communications comply with the Health Insurance Portability and Accountability Act (HIPAA). Thanks to this roadmap, and current available technologies, providers and their business associates have what they need to email and text patients legally and responsibly when Protected Health Information (PHI) is at stake.
Today, I’m going to discuss HIPAA compliance more in depth—specifically, as defined and determined by the HIPAA Privacy Rule, the HIPAA Security Rule, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Each of these contributes to the pool of regulatory requirements controlling the exchange of PHI via electronic communications.
Understanding how these regulations (collectively referred to herein as “HIPAA requirements”) impact text and email communications is your first step toward launching a HIPAA-compliant text and email communication program.
First Things First: A Brief HIPAA Breakdown
Before we launch into our five-step dive, here’s a quick primer on how HIPAA requirements have evolved and expanded since 2000.
HHS Privacy Rule
Health and Human Services (HHS) published a final Privacy Rule in December 2000, which was later modified in August 2002. This rule set national standards for the protection of individually identifiable PHI by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct standard healthcare transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
HHS Security Rule
HHS published a final Security Rule in February 2003. This rule sets national standards for protecting the confidentiality, integrity, and availability of electronic PHI. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
HHS Enforcement Rule
The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
HHS Breach Notification Rule
Under certain circumstances, the Health and Human Services (HHS) Breach Notification Rule requires covered entities and business associates to report all PHI breaches to HHS and the impacted individuals. HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for PHI established under HIPAA, thus finalizing the Breach Notification Rule.
Now, Let’s Dive Into the HIPAA Requirements
These are five of the most important aspects of HIPAA as it pertains to email and text. If you’re considering using electronic communications to engage patients for any reason, these bottom-line takeaways should be top of mind.
Step #1: Relationships Matter
The HIPAA requirements for text and email communications differ depending on the relationship between the texting or emailing parties.
While all electronic communications sent from a covered entity or business associate to a patient must be secure, communications from the patient to the covered entity or business associate need not be secure. This is because the HIPAA requirements do not require covered entities and business associates to be legally responsible for the encryption of PHI sent by the patient to the covered entity or business associate.
Nevertheless, the covered entity or business associate still bears some responsibility regarding email and text communications received from a patient (see Step #2).