Patient communication has evolved dramatically โ but HIPAA requirements haven't loosened. Practices that use standard email, text, or messaging apps to discuss PHI risk significant penalties. Here's how to communicate compliantly.
What HIPAA Requires for Patient Communication
HIPAA doesn't prohibit email or text communication with patients. It requires that when PHI is communicated electronically, appropriate safeguards are in place to protect it from unauthorized access.
Is Standard Email HIPAA-Compliant?
Standard email (Gmail, Outlook, Yahoo) is not HIPAA-compliant for sending PHI because:
- Emails travel unencrypted across networks
- No audit trail of who accessed the communication
- No BAA available from free email providers
Exception: If a patient explicitly requests email communication after being informed of the risks, you can accommodate that preference โ but document their consent.
HIPAA-Compliant Communication Options
| Channel | Compliant? | Examples |
|---|---|---|
| Encrypted Email | โ Yes | Hushmail, LuxSci, Virtru for Gmail |
| EHR Patient Portal | โ Yes | Epic MyChart, Athena Patient Portal |
| HIPAA-Compliant Text | โ Yes | Klara, Spruce Health, OhMD |
| Standard SMS/Text | โ ๏ธ Limited | OK for appointment reminders without PHI |
| Standard Gmail/Outlook | โ No (for PHI) | โ |
| WhatsApp/iMessage | โ No | Never for PHI |
What Virtual Staff Must Follow
All virtual medical staff who communicate with patients must:
- Use only HIPAA-compliant communication tools provided by your practice
- Never use personal email or messaging apps for patient-related communication
- Document all significant patient communications in the EHR
- Follow your practice's communication protocols exactly
HIPAA-Trained Virtual Staff Who Communicate Compliantly
All our VMAs are trained on secure patient communication protocols.
Book Free Consultation โ