App Design Considerations

If you are implementing a feature to send unencrypted messages to an individual with their PHI, keep these six points in mind:

1. Make your disclosure simple and clear

For example:
[Email/text messaging] allows us to communicate with you more efficiently and provide you with better service. At the same time, we recognize that [email/text messaging] is not a completely secure means of communication because these messages can be addressed to the wrong person or accessed improperly while in storage or during transmission.

2. Use a true opt-in

For example:
If you would like us to send you [email/text messages] that contain your health information, please select “Yes.”

You can require an answer, and even display a warning if the user doesn't opt-in. Never pre-select "yes" for them.

3. Confirm user-provided information

If possible, send a confirmation email or SMS and require the user to validate their email address or phone number before seeing PHI.

4. Keep records

Keep an audit record of the user’s opt-in, either in your database or logging system. Make sure your business continuity plan includes making and testing backups. Make sure you can explain which version of the disclosure and opt-in the user agreed to, and how you authenticated their identity.

5. Degrade gracefully

Have a plan for if the user doesn’t opt-in. Be careful to make sure users understand they are not required to authorize the use of unencrypted email or text messaging, and that a decision not to opt-in will not affect their health care in any way. Never penalize a user for not opting in.

If your service absolutely requires sending PHI over unencrypted email or text messaging to work, be sure to emphasize that they can still choose not to use your service:

You are not required to authorize the use of [email/text messages], however if you choose not to authorize us to send you health information over [email/text messages], we may not be able to serve you.

In this case, be sure to thoroughly document the rationale in your HIPAA policies.

6. Be prepared to handle replies

Remember that if a user replies to your email or SMS with a message containing PHI, any system that receives the reply needs to be able to handle PHI. Be careful with your reply-to addresses.