HIPAA Compliant Appointment Reminders
Sending email and text message appointment reminders is hugely popular, for both provider and patient. By default, however, the HIPAA does not allow this activity because it involves Protected Health Information (PHI) being sent to an unsecured environment (the patient’s phone or email). Fortunately, patients can override this restriction and you can still be HIPAA compliant.
Like so many other areas in healthcare, patients themselves can authorize just about anything, receiving information via unsecured email and text included. The HIPAA acknowledges receiving information by email and text is extremely convenient, and that patients will often prefer this method of communication from their healthcare providers.
Therefore, to make appointment reminders HIPAA compliant, start by obtaining your patients' authorization.
The email authorization
Authorization should go well beyond a single sentence buried somewhere within an intake form or a verbal cue, it must be informative and comprehensive.
An email authorization form should include:
- Risks associated with transmitting information using email or text, such as:
- Email can be immediately broadcast worldwide and be received by unintended recipients.
- Email senders can easily misaddress an email.
- Employers and on-line services have a right to archive and inspect emails transmitted through their systems.
- Email can be intercepted, altered, forwarded, or used without authorization or detection.
- Email can be used to introduce viruses into computer systems.
- Email can be used as evidence in court.
- Conditions of using email or text, such as:
- All emails to or from the patient concerning diagnosis or treatment will be saved as part of the medical record.
- The practice may forward emails internally to the practice’s staff and agents as necessary for diagnosis, treatment, reimbursement, and other handling.
- If the patient’s email requires or invites a response from the practice, and the patient has not received a response within a reasonable time period, it is the patient’s responsibility to follow up to determine whether the intended recipient received the email and when the recipient will respond.
- The patient is responsible for protecting his/her password or other means of access to email.
- It is the patient’s responsibility to follow up and/or schedule an appointment if warranted.
- Instructions to communicate by email, such as:
- Inform the practice of changes in his/her email address.
- Put the patient’s name in the body of the email.
- Review the email to make sure it is clear and that all relevant information is provided before sending to the practice.
Here's a sample Email/Text Authorization form.
Be sure to have a system in place to handle patients who choose not to utilize email and text messages. Remember, the patient decides if it's okay to send appointment reminders, not your practice.
The business associate agreement (BAA)
Without a doubt, the service you use to send appointment reminders is your business associate. Therefore, in addition to patient authorization you must have a BAA with said service if you are to remain HIPAA compliant. Please read Who Are HIPAA Business Associates and Why You Should Care for details.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.