If you are implementing a feature to send unencrypted messages to an individual with their PHI, keep these six points in mind:
[Email/text messaging] allows us to communicate with you more efficiently and provide you with better service. At the same time, we recognize that [email/text messaging] is not a completely secure means of communication because these messages can be addressed to the wrong person or accessed improperly while in storage or during transmission.
If you would like us to send you [email/text messages] that contain your health information, please select “Yes.”
You can require an answer, and even display a warning if the user doesn't opt-in. Never pre-select "yes" for them.
If possible, send a confirmation email or SMS and require the user to validate their email address or phone number before seeing PHI.
Keep an audit record of the user’s opt-in, either in your database or logging system. Make sure your business continuity plan includes making and testing backups. Make sure you can explain which version of the disclosure and opt-in the user agreed to, and how you authenticated their identity.
Have a plan for if the user doesn’t opt-in. Be careful to make sure users understand they are not required to authorize the use of unencrypted email or text messaging, and that a decision not to opt-in will not affect their health care in any way. Never penalize a user for not opting in.
If your service absolutely requires sending PHI over unencrypted email or text messaging to work, be sure to emphasize that they can still choose not to use your service:
You are not required to authorize the use of [email/text messages], however if you choose not to authorize us to send you health information over [email/text messages], we may not be able to serve you.
In this case, be sure to thoroughly document the rationale in your HIPAA policies.
Remember that if a user replies to your email or SMS with a message containing PHI, any system that receives the reply needs to be able to handle PHI. Be careful with your reply-to addresses.
Updated almost 2 years ago