About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
Therapists have the legal and ethical duty to maintain patient confidentiality and take reasonable steps to ensure patient confidential information maintained. This article discusses how to comply with HIPAA’s Security Rule when communicating with patients via e-mail and text messaging.
by Ann Tran-Lien, JD Managing Director of Legal Affairs The Therapist May/June 2017
Today, about 87 percent of American adults use the Internet.1 Nearly 95 percent of Americans now own a cell phone of some kind, with 77 percent of Americans owning a smart phone.2 In 2015, a study showed that 97 percent of smart phone owners use text messaging at least once a day.3 With such wide-spread use of e-mail and text messaging therapists may find it more convenient to communicate through such methods rather than phoning the patient or waiting for an in-person meeting. These communications generally range from administrative issues (such as scheduling an appointment) to more clinical matters (such as follow-up to sessions). It is important for therapists who use e-mail or text messaging as a form of communication with their patients to be familiar with the laws that govern these electronic communications and the storage of electronic confidential information.
Therapists have the legal and ethical duty to maintain patient confidentiality and take reasonable steps to ensure patient confidential information maintained by the therapist is secured. Both California law and the Health Insurance Portability and Accountability Act (HIPAA) recognize electronic communications between a patient and provider regarding the patient’s treatment or other identifiable information such as the patient’s name as protected, confidential information. The term “electronic” is defined as “technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.”4
HIPAA refers to this information as “electronic protected health information” or “e-PHI.” California law further provides that an electronic communication between a patient and a psychotherapist is protected by the psychotherapist-patient privilege, and “does not lose its privileged character for the sole reason that is communicated by electronic means.”5 Also, the communication is still protected by the psychotherapist-patient privilege even if a third-party involved in the delivery, facilitation, or storage of the electronic communication, such as a vendor that offers secured messaging, may have access to the content of the communication.
For providers who are “covered entities” under HIPAA, there are rules and standards with which the provider should be familiar in order to avoid being, inadvertently, in violation of federal law. Providers (or through their business associates),who conduct certain “covered transactions,” such as billing insurance companies electronically or checking a patient’s eligibility on an insurance company’s website, are HIPAA covered entities. Covered entities must comply with HIPAA rules in addition to California law. To determine if you are a covered entity, or to read more about covered entities, see Dave Jensen’s article, “To Be or Not To Be a Covered Entity: That is the Question.” (The Therapist, March/April 2003).
The U.S. Department of Health and Human Services Office for Civil Rights (OCR), which administers and enforces compliance with HIPAA Privacy and Security Rules, has provided guidance on using electronic communication methods with patients in accordance with HIPAA.6 The Privacy Rule and the Security Rule do not prohibit electronic transmission of PHI between providers and patients, but safeguards should be applied to reasonably protect the patient’s privacy. Per the guidance, to communicate with patients via e-mail and text message, the covered entity must apply reasonable and appropriate safeguards to the electronic transmission7; and if the patient does not want encrypted e-mails or texts, the covered provider is legally required to “warn” the patient of the risks in transmitting confidential information via unencrypted e-mails or texts and document the patient’s consent to receiving unencrypted electronic information.
Although California law does not expressly require therapists to assess and apply reasonable safeguards when communicating with patients electronically, California does require therapists and other health care providers who create and preserve medical information to do so in a manner that preserves its confidentiality.8 Additionally, the CAMFT Code of Ethics provides that Marriage and Family Therapists should be aware of the limitations regarding confidential transmission by Internet or electronic media and take care when transmitting or receiving such information via these mediums. Therefore, California licensed therapists who are not covered entities under HIPAA, should consider using HIPAA as guidance for best practices when communicating with patients electronically.
This article will discuss the potential risks when sending PHI via e-mail or text message, the reasonable and appropriate safeguards for therapists to consider, and the “warning” to the patient if the patient does not want to receive unencrypted e-mails or texts.
Potential Risks According to the OCR, the Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.9 The first step is for the provider to conduct a risk analysis of communicating with patients via e-mail or text message and document any potential risks. Some risks include:
Apply Reasonable Safeguards Based on the risk analysis, the covered entity is required by the Security Rule to “implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access” to PHI sent electronically. 10 Thus, covered entities may consider the following safeguards and implement policies and procedures with respect to the use of e-mail or text message in communicating with patients. (For a more comprehensive evaluation and application of safeguards in one’s practice, review the accompanying article on PAGE titled “Administrative, Physical and Technical Safeguards Standards Compliance Worksheet” written by David Jensen, CAMFT Staff Attorney). It is recommended the policies and procedures implemented by the covered entity be in writing and maintained along with other business records.
Administrative Safeguards Administrative safeguards are administrative policies and procedures implemented by the covered entity to reduce risks to unauthorized access to e-PHI to a reasonable and appropriate level. The policies and procedures are to be kept in the covered entity’s business records. Some administrative safeguards include:
Or, the provider may consider a policy limiting information that identifies a patient be sent electronically.
Physical Safeguards Physical safeguards are physical policies and procedures that protect the work station and the devices such as computers, laptops, or mobile devices which are used by the covered entity to store or transmit e-PHI. Some physical safeguards may include:
Technical Safeguards Technical safeguards are technical policies and procedures that allow only authorized persons to access the e-PHI stored or transmitted electronically to patients, policies that ensure e-PHI is not improperly destroyed or altered, and security measures that guard against unauthorized access to confidential information that is being transmitted over an electronic network. Some technical safeguards include:
“Warn” the Patient The OCR has acknowledged that there may be instances when an individual may not want to receive their e-PHI in an encrypted format or may be unable to access the information when encrypted. (See “Business Associates” below for more about encryption options.) Thus, the OCR provided written clarification in its Final Omnibus Ruling that covered entities are permitted to send patients unencrypted e-mails if they have advised the patient of the risk, and the patient still prefers the unencrypted e-mails.11 Although the OCR’s guidance specifically mentions e-mail, it arguably, can be applied to text messages given HIPAA regulations do not reference specific technologies. The OCR states it does not expect covered entities to educate individuals about encryption technology and the information security, however, the OCR expects “the covered entity to notify the individual that there may be some level of risk that the information in the e-mail could be read by a third party.”12 The OCR further explains “If the individuals are notified of the risks and still prefer unencrypted e-mail, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request.”13
The warning should notify the patient that communicating confidential information via e-mail or text message may not be secure and that their confidentiality may be breached. Threats to the client’s confidentiality include, but are not limited to: 1) the transmission may be intercepted; 2) the transmission may be sent to the wrong recipient; and 3) the e-mail or text message may be accessed by an unauthorized person. The warning and patient consent must be documented in writing. Therapists, who regularly e-mail or text patients may consider including this warning as a part of their Informed Consent Form or Disclosure Statement which is acknowledged and signed by the patient. If e-mailing or text messaging is not a common, regular practice for the therapist, the therapist may consider providing a separate statement disclosing the warning to be acknowledged and signed by the patient upon request for such communication. In either case, it is important for the covered entity to document their compliance with the OCR guidance in providing the warning to the patient. The OCR also clarified that covered entities are not responsible for safeguarding information once delivered to the patient.
E-mails or Texts from Patients The Security Rule requirements on implementing safeguards apply only if a covered entity initiates communications with patients via e-mail or text message. In its guidance, the OCR indicated that if patients initiate communications via e-mail, the therapist can assume that e-mail communications are acceptable to the patient.14 However, if the therapist believes the patient may not be aware of possible risks of using unencrypted e-mail, the provider should inform the patient of those risks and let the patient decide whether to continue e-mail communications. The disclosure and patient’s decision should be documented in writing in the clinical record.
Business Associates A covered entity may consider contracting with a vendor who offers secured, encrypted e-mail messaging or downloading apps on the mobile device that offers secured, encrypted text messages. HIPAA requires that if a covered entity engages with a third-party to carry out, assist with, or perform a function or activity for the covered entity, it must enter into a “Business Associate Agreement” with the third-party.15 The third-party is called a “Business Associate” under HIPAA. Essentially, the Business Associate Agreement requires the vendor to comply with HIPAA laws in using appropriate safeguards to prevent a use or disclosure of the PHI other than as provided in the Agreement.16 The business associate is responsible for reporting to the covered entity any breaches of unsecured PHI; use or disclosure of PHI that is not allowed by the Business Associate Agreement; and any security incidents (i.e., attempted unauthorized access to PHI; any modification or destruction of PHI). A covered entity can be found liable if it knew of a pattern of activity or practice of the Business Associate that constituted a material violation of the Business Associate’s obligations under the Agreement; failed to take reasonable steps to cure the violation; and failed to terminate the Agreement, if feasible. For further reading on business associate agreements, see “Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements” by Sara Jasper, CAMFT Staff Attorney (The Therapist, Jul/Aug 2012).
Other Considerations In addition to the safeguards that therapists are recommended to employ, there are other considerations therapists may want to think about when communicating with patients via e-mail or text message. A written disclosure statement regarding policies and procedures for using e-mail or text message can help patients understand and acknowledge certain limitations and risks that accompany electronic communications.
The statement, which would be communicated to the patient at the outset of treatment, may include:
Further, potential boundary issues may arise for therapists when e-mailing or texting patients. Some key issues to consider when thinking about this include: maintaining a professional tone in all e-mails or texts to patients; ensuring the communication via e-mail or text have an administrative and/or clinical purpose; avoiding the use of “emoticons” or slang which may be construed as more of a personal communication with the patient; and limiting the number of communication via texts unless there is a clinical justification that is carefully documented in the record. It is important to note that e-mails and text messages sent to a patient are all written materials that can be kept by the patient and potentially used against the therapist in legal proceedings or other matters.
Conclusion With due diligence in implementing safeguards and careful consideration of legal and ethical issues, e-mail and text messaging can be viable forms of communication for therapists and their patients. As technology expands and changes, more options for communicating electronically with patients will be made available and patients may come to expect these options. Therapists are strongly encouraged to stay abreast of laws and ethics surrounding the utilization of technologies in communicating with patients.
Ann Tran-Lien, JD, is a staff attorney and the Managing Director of Legal Affairs at CAMFT. Ann is available to answer member calls regarding legal, ethical, and licensure issues.
Endnotes
1 The Pew Research Center (2016) at http://www.pewresearch.org/ 2 The Pew Research Center (2016) at http://www.pewresearch.org/ 3 The Pew Research Center (2015) at http://www.pewresearch.org/ 4Cal. Civil Code § 1633.2(e) 5Cal. Penal Code § 917(b) 6 The Office for Civil Rights’ guidance can be accessed on the U.S. Department of Health and Human Services at https://www. hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-healthcare-providers-to-use-email-to-discuss-health-issues-with-patients/ index.html 7 Id. 8 Cal. Civ. Code § 56.101 9The Office for Civil Rights’ guidance can be accessed on the U.S. Department of Health and Human Services at https://www.hhs. gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allowfor-sending-electronic-phi-in-an-email/index.html 10 45 C.F.R. § 164.312(e)(1) 1178 Federal Register p. 5634 (Jan. 25, 2013) 12 Id. 13Id. 14 The Office for Civil Rights’ guidance can be accessed on the U.S. Department of Health and Human Services at https://www. hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-healthcare-providers-to-use-email-to-discuss-health-issues-with-patients/ index.html 1545 C.F.R. §160.103 16 45 C.F.R § 164.502(e)(2)
This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.