Can I text or email my patients?
Yes, healthcare providers can communicate with patients via text messages, but only if:
- The communication is encrypted or sent via a secure messaging system, or
- The patient is warned beforehand regarding the risk associated with unencrypted communication and the patient still prefers to communicate via unsecured text or email
If a provider sends an email or text message that is encrypted or sent over a secure messaging system, such as a secure patient portal, the message may include protected health information (PHI). The Department of Health & Human Services (HHS), in its Guide to Privacy and Security of Electronic Health Information, points out that if a provider uses an EHR system that is certified under ONC’s 2014 Certification Rule, the EHR should have the capability to allow patients to communicate through a secure patient portal. However, patients may want information sent via text to their phone or personal email account, which is not secure or encrypted, rather than going to a portal.
Patients have a right to receive communications (including PHI) from the provider by alternative means, such as email or text.[i] However, it is incumbent upon the healthcare provider to inform the patient, in writing, of the risk of unintentional disclosure to a third party of PHI if sent in an unsecure manner. If the patient, after being informed of the risks, chooses to communicate via unsecured means, the patient has that right. This can be done by discussing these risks with the patient and having the patient sign a consent form acknowledging that he or she understands the risk.
In the Final Omnibus Rule, the HHS Office for Civil Rights (OCR) states that covered entities are not required to educate individuals about encryption and information security, but must notify the patient that there is a risk that the information in the email could be read by a third party. “If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request.” [ii]
Communication between patients and doctors is an important part of the physician-patient relationship. Learn more about texting and emailing patients by clicking below.