Make Appointment Reminders HIPAA Compliant

by Dr. Jeff Brown

Sending e-mail and text message appointment reminders is hugely popular, for both provider and patient. By default, however, the HIPAA does not allow this activity because it involves Protected Health Information (PHI) being sent to an unsecured environment (the patient’s phone or e-mail). Fortunately, a patient can override this HIPAA restriction.

Like so many other areas in healthcare, patients themselves can authorize just about anything, receiving information via unsecured e-mail and text included. The HIPAA acknowledges receiving information by e-mail and text is extremely convenient, and that patients will often prefer this method of communication from their healthcare providers.

Obtain patient authorization and you’re good to go.

The e-mail authorization

Authorization should go well beyond a single sentence buried somewhere within an intake form or a verbal cue, it must be informative and comprehensive.

An e-mail authorization form should include:

  1. Risks associated with transmitting information using e-mail or text, such as:
    1. E-mail can be immediately broadcast worldwide and be received by unintended recipients.
    2. E-mail senders can easily misaddress an e-mail.
    3. Employers and on-line services have a right to archive and inspect e-mails transmitted through their systems.
    4. E-mail can be intercepted, altered, forwarded, or used without authorization or detection.
    5. E-mail can be used to introduce viruses into computer systems.
    6. E-mail can be used as evidence in court.
  2. Conditions of using e-mail or text, such as:
    1. All e-mails to or from the patient concerning diagnosis or treatment will be saved as part of the medical record.
    2. The practice may forward e-mails internally to the practice’s staff and agents as necessary for diagnosis, treatment, reimbursement, and other handling.
    3. If the patient’s e-mail requires or invites a response from the practice, and the patient has not received a response within a reasonable time period, it is the patient’s responsibility to follow up to determine whether the intended recipient received the e-mail and when the recipient will respond.
    4. The patient is responsible for protecting his/her password or other means of access to e-mail.
    5. It is the patient’s responsibility to follow up and/or schedule an appointment if warranted.
  3. Instructions to communicate by e-mail, such as:
    1. Inform the practice of changes in his/her e-mail address.
    2. Put the patient’s name in the body of the e-mail.
    3. Review the e-mail to make sure it is clear and that all relevant information is provided before sending to the practice.

Here's a sample E-mail/Text Authorization form.

Be sure to have a system in place to handle patients who choose not to utilize e-mail and text messages. Remember, the patient decides if it's okay to send appointment reminders, not your practice.

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.

See More HIPAA Topics