Attorney Articles | Emails Texts and HIPAA
X

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

Emails Texts and HIPAA

Therapists have the legal and ethical duty to maintain patient confidentiality and take reasonable steps to ensure patient confidential information maintained. This article discusses how to comply with HIPAA’s Security Rule when communicating with patients via e-mail and text messaging.

by Ann Tran-Lien, JD
 Managing Director of Legal Affairs
The Therapist
May/June 2017


Today, about 87 percent of American adults use the Internet.1 Nearly 95 percent of Americans now own a cell phone of some kind, with 77 percent of Americans owning a smart phone.2 In 2015, a study showed that 97 percent of smart phone owners use text messaging at least once a day.3 With such wide-spread use of e-mail and text messaging therapists may find it more convenient to communicate through such methods rather than phoning the patient or waiting for an in-person meeting. These communications generally range from administrative issues (such as scheduling an appointment) to more clinical matters (such as follow-up to sessions). It is important for therapists who use e-mail or text messaging as a form of communication with their patients to be familiar with the laws that govern these electronic communications and the storage of electronic confidential information.

Therapists have the legal and ethical duty to maintain patient confidentiality and take reasonable steps to ensure patient confidential information maintained by the therapist is secured. Both California law and the Health Insurance Portability and Accountability Act (HIPAA) recognize electronic communications between a patient and provider regarding the patient’s treatment or other identifiable information such as the patient’s name as protected, confidential information. The term “electronic” is defined as “technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.”4

HIPAA refers to this information as “electronic protected health information” or “e-PHI.” California law further provides that an electronic communication between a patient and a psychotherapist is protected by the psychotherapist-patient privilege, and “does not lose its privileged character for the sole reason that is communicated by electronic means.”5 Also, the communication is still protected by the psychotherapist-patient privilege even if a third-party involved in the delivery, facilitation, or storage of the electronic communication, such as a vendor that offers secured messaging, may have access to the content of the communication.

For providers who are “covered entities” under HIPAA, there are rules and standards with which the provider should be familiar in order to avoid being, inadvertently, in violation of federal law. Providers (or through their business associates),who conduct certain “covered transactions,” such as billing insurance companies electronically or checking a patient’s eligibility on an insurance company’s website, are HIPAA covered entities. Covered entities must comply with HIPAA rules in addition to California law. To determine if you are a covered entity, or to read more about covered entities, see Dave Jensen’s article, “To Be or Not To Be a Covered Entity: That is the Question.” (The Therapist, March/April 2003).

The U.S. Department of Health and Human Services Office for Civil Rights (OCR), which administers and enforces compliance with HIPAA Privacy and Security Rules, has provided guidance on using electronic
communication methods with patients in accordance with HIPAA.6 The Privacy Rule and the Security Rule do not prohibit electronic transmission of PHI between providers and patients, but safeguards should be applied to reasonably protect the patient’s privacy. Per the guidance, to communicate with patients via e-mail and text message, the covered entity must apply reasonable and appropriate safeguards to the electronic transmission7; and if the patient does not want encrypted e-mails or texts, the covered provider is legally required to “warn” the patient of the risks in transmitting confidential information via unencrypted e-mails or texts and document the patient’s consent to receiving unencrypted electronic information.

Although California law does not expressly require therapists to assess and apply reasonable safeguards when communicating with patients electronically, California does require therapists and other health care providers who create and preserve medical information to do so in a manner that preserves its confidentiality.8 Additionally, the CAMFT Code of Ethics provides that Marriage and Family Therapists should be aware of the limitations regarding confidential transmission by Internet or electronic media and take care when transmitting or receiving such information via these mediums. Therefore, California licensed therapists who are not covered entities under HIPAA, should consider using HIPAA as guidance for best practices when communicating with patients electronically.

This article will discuss the potential risks when sending PHI via e-mail or text message, the reasonable and appropriate safeguards for therapists to consider, and the “warning” to the patient if the patient does not want to receive unencrypted e-mails or texts.

Potential Risks According to the OCR, the Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.9 The first step is for the provider to conduct a risk analysis of communicating with patients via e-mail or text message and document any potential risks. Some risks include:

  • Inadvertent sending of an e-mail or text containing e-PHI to the wrong recipient.
  • Theft or loss of the computer, laptop or mobile device storing e-PHI.
  • Interception by an unauthorized third party through an unsecured network.
  • Unintentional download of a virus or malware on the computer or mobile device which may allow unauthorized access to e-PHI stored on the computer or mobile device.
  • Unauthorized access of the computer, laptop or mobile device containing e-PHI by family, friends or other third parties.
  • Improper disposal of the mobile device containing e-PHI.

Apply Reasonable Safeguards Based on the risk analysis, the covered entity is required by the Security Rule to “implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access” to PHI sent electronically. 10 Thus, covered entities may consider the following safeguards and implement policies and procedures with respect to the use of e-mail or text message in communicating with patients. (For a more comprehensive evaluation and application of safeguards in one’s practice, review the accompanying article on PAGE titled “Administrative, Physical and Technical Safeguards Standards Compliance Worksheet” written by David Jensen, CAMFT Staff Attorney). It is recommended the policies and procedures implemented by the covered entity be in writing and maintained along with other business records.

Administrative Safeguards Administrative safeguards are administrative policies and procedures implemented by the covered entity to reduce risks to unauthorized access to e-PHI to a reasonable and appropriate level. The policies and procedures are to be kept in the covered entity’s business records. Some administrative safeguards include:

  • Conducting periodic risk assessments of using a computer or mobile device to transmit e-PHI.
  • Implementing policies on the type of client communications sent via e-mail or text, such as for scheduling purposes only.

Or, the provider may consider a policy limiting information that identifies a patient be sent electronically.

  • Implementing written policies and procedures on the technical and physical safeguards as determined to be appropriate as defined below.
  • For covered entities who are employers, designating a security official who will be responsible for developing and implementing the practice’s security policies and procedures.
  • When applicable, providing supervision and training to employees who have access to e-PHI and may be e-mailing or texting such information to clients. In addition, documenting policies and procedures for how employees are to report known or suspected security incidents to the security official, another designated person, or the employer.

Physical Safeguards Physical safeguards are physical policies and procedures that protect the work station and the devices such as computers, laptops, or mobile devices which are used by the covered entity to store or transmit e-PHI. Some physical safeguards may include:

  • Storing the computers, laptops or businessowned mobile devices used to transmit or store e-PHI in locked offices or locked cabinets.
  • Implementing policies that prevent access to the computer or mobile device by unauthorized persons.
  • Documenting policies on automatic log-offs on computers; immediate sign-outs on e-mail accounts; and prohibition of accessing confidential e-mails on public computers.
  • Implementing policies that require deletion of e-mails or text messages that contain e-PHI after printing or documenting in the clinical record.
  • Implementing policies on documentation of e-PHI in the clinical record. (For example, documenting in the clinical record any e-PHI sent via e-mail or text message that is used to make a clinical decision regarding a patient.)

Technical Safeguards Technical safeguards are technical policies and procedures that allow only authorized persons to access the e-PHI stored or transmitted electronically to patients, policies that ensure e-PHI is not improperly destroyed or altered, and security measures that guard against unauthorized access to confidential information that is being transmitted over an electronic network. Some technical safeguards include:

  • Implementing policies and procedures that require password protection or other user authentication for the computer or mobile device.
  • Installing and/or enabling encryption on the e-mail account or mobile device.
  • Installing and regularly updating antimalware software on the computer or mobile device.
  • Implementing policies that allow only sending e-mails or texts when using a Virtual Private Network connection, which encrypts data to and from the computer or mobile device and is not readable if it is intercepted on the public network; or when using another form of secured network connection.
  • Regularly updating the security software and operating systems on the computer or mobile device.
  • Installing and activating remote wiping or remote disabling of the mobile device in case of loss or theft.

“Warn” the Patient The OCR has acknowledged that there may be instances when an individual may not want to receive their e-PHI in an encrypted format or may be unable to access the information when encrypted. (See “Business Associates” below for more about encryption options.) Thus, the OCR provided written clarification in its Final Omnibus Ruling that covered entities are permitted to send patients unencrypted e-mails if they have advised the patient of the risk, and the patient still prefers the unencrypted e-mails.11 Although the OCR’s guidance specifically mentions e-mail, it arguably, can be applied to text messages given HIPAA regulations do not reference specific technologies. The OCR states it does not expect covered entities to educate individuals about encryption technology and the information security, however, the OCR expects “the covered entity to notify the individual that there may be some level of risk that the information in the e-mail could be read by a third party.”12 The OCR further explains “If the individuals are notified of the risks and still prefer unencrypted e-mail, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request.”13

The warning should notify the patient that communicating confidential information via e-mail or text message may not be secure and that their confidentiality may be breached. Threats to the client’s confidentiality include, but are not limited to: 1) the transmission may be intercepted; 2) the transmission may be sent to the wrong recipient; and 3) the e-mail or text message may be accessed by an unauthorized person. The warning and patient consent must be documented in writing. Therapists, who regularly e-mail or text patients may consider including this warning as a part of their Informed Consent Form or Disclosure Statement which is acknowledged and signed by the patient. If e-mailing or text messaging is not a common, regular practice for the therapist, the therapist may consider providing a separate statement disclosing the warning to be acknowledged and signed by the patient upon request for such communication. In either case, it is important for the covered entity to document their compliance with the OCR guidance in providing the warning to the patient. The OCR also clarified that covered entities are not responsible for safeguarding information once delivered to the patient.

E-mails or Texts from Patients The Security Rule requirements on implementing safeguards apply only if a covered entity initiates communications with patients via e-mail or text message. In its guidance, the OCR indicated that if patients initiate communications via e-mail, the therapist can assume that e-mail communications are acceptable to the patient.14 However, if the therapist believes the patient may not be aware of possible risks of using unencrypted e-mail, the provider should inform the patient of those risks and let the patient decide whether to continue e-mail communications. The disclosure and patient’s decision should be documented in writing in the clinical record.

Business Associates A covered entity may consider contracting with a vendor who offers secured, encrypted e-mail messaging or downloading apps on the mobile device that offers secured, encrypted text messages. HIPAA requires that if a covered entity engages with a third-party to carry out, assist with, or perform a function or activity for the covered entity, it must enter into a “Business Associate Agreement” with the third-party.15 The third-party is called a “Business Associate” under HIPAA. Essentially, the Business Associate Agreement requires the vendor to comply with HIPAA laws in using appropriate safeguards to prevent a use or disclosure of the PHI other than as provided in the Agreement.16 The business associate is responsible for reporting to the covered entity any breaches of unsecured PHI; use or disclosure of PHI that is not allowed by the Business Associate Agreement; and any security incidents (i.e., attempted unauthorized access to PHI; any modification or destruction of PHI). A covered entity can be found liable if it knew of a pattern of activity or practice of the Business Associate that constituted a material violation of the Business Associate’s obligations under the Agreement; failed to take reasonable steps to cure the violation; and failed to terminate the Agreement, if feasible. For further reading on business associate agreements, see “Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements” by Sara Jasper, CAMFT Staff Attorney (The Therapist, Jul/Aug 2012).

Other Considerations In addition to the safeguards that therapists are recommended to employ, there are other considerations therapists may want to think about when communicating with patients via e-mail or text message. A written disclosure statement regarding policies and procedures for using e-mail or text message can help patients understand and acknowledge certain limitations and risks that accompany electronic communications.

The statement, which would be communicated to the patient at the outset of treatment, may include:

  • Any limitations on the topics for e-mailing or text messaging, such as, informing the patients that e-mails or texts are not appropriate forms of communication for emergencies or crises. The therapist may also want to consider the potential for brief, abridged messages via e-mail or text message to be misconstrued, which can have a negative impact on the therapeutic relationship or potential harm to the patient. Therefore, patients can be informed that sensitive, clinical information is to be discussed over the phone or in-person as deemed appropriate by the therapist.
  • The expected response time (i.e., I will respond to your e-mail within 24 hours).
  • Any fees that may be charged for communication via e-mail or text message.
  • Any potential risks of unauthorized access to stored confidential information or security of the transmission.

Further, potential boundary issues may arise for therapists when e-mailing or texting patients. Some key issues to consider when thinking about this include: maintaining a professional tone in all e-mails or texts to patients; ensuring the communication via e-mail or text have an administrative and/or clinical purpose; avoiding the use of “emoticons” or slang which may be construed as more of a personal communication with the patient; and limiting the number of communication via texts unless there is a clinical justification that is carefully documented in the record. It is important to note that e-mails and text messages sent to a patient are all written materials that can be kept by the patient and potentially used against the therapist in legal proceedings or other matters.

Conclusion With due diligence in implementing safeguards and careful consideration of legal and ethical issues, e-mail and text messaging can be viable forms of communication for therapists and their patients. As technology expands and changes, more options for communicating electronically with patients will be made available and patients may come to expect these options. Therapists are strongly encouraged to stay abreast of laws and ethics surrounding the utilization of technologies in communicating with patients.


Ann Tran-Lien, JD, is a staff attorney and the Managing Director of Legal Affairs at CAMFT. Ann is available to answer member calls regarding legal, ethical, and licensure issues.


Endnotes

1 The Pew Research Center (2016) at http://www.pewresearch.org/
2 The Pew Research Center (2016) at http://www.pewresearch.org/
3 The Pew Research Center (2015) at http://www.pewresearch.org/
4Cal. Civil Code § 1633.2(e)
5Cal. Penal Code § 917(b)
6 The Office for Civil Rights’ guidance can be accessed on the U.S. Department of Health and Human Services at https://www. hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-healthcare-providers-to-use-email-to-discuss-health-issues-with-patients/ index.html
7 Id.
8 Cal. Civ. Code § 56.101
9The Office for Civil Rights’ guidance can be accessed on the U.S. Department of Health and Human Services at https://www.hhs. gov/hipaa/for-professionals/faq/2006/does-the-security-rule-allowfor-sending-electronic-phi-in-an-email/index.html
10 45 C.F.R. § 164.312(e)(1)
1178 Federal Register p. 5634 (Jan. 25, 2013)
12 Id.
13Id.
14 The Office for Civil Rights’ guidance can be accessed on the U.S. Department of Health and Human Services at https://www. hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-healthcare-providers-to-use-email-to-discuss-health-issues-with-patients/ index.html
1545 C.F.R. §160.103 16 45 C.F.R § 164.502(e)(2)


This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.