HIPAA guidelines for electronic communications require HIPAA Covered Entities and Business Associates to permit only uses and disclosures of protected health information that comply with the HIPAA Privacy Rule, to protect electronic protected health information with the administrative, physical, and technical safeguards required by the HIPAA Security Rule across email, texting, patient portals, telehealth platforms, and messaging applications, and to apply the HIPAA Breach Notification Rule when electronic communications result in an impermissible use or disclosure of unsecured protected health information.
The HIPAA Privacy Rule allows covered entities to communicate with patients electronically, including for treatment, payment, and health care operations, when disclosures are permitted and reasonable safeguards are used to prevent incidental disclosures. Reasonable safeguards include limiting message content to what is necessary for the purpose, verifying recipient contact information, using patient preferred channels when documented, and configuring workflows to prevent misdirection and unauthorized access. When an electronic communication involves a disclosure to a third party that is not otherwise permitted, a valid HIPAA authorization is required before protected health information is sent.
The HIPAA Security Rule applies when electronic protected health information is created, received, maintained, or transmitted and requires a risk analysis that covers the communication channels and devices used by the workforce. Safeguards commonly include access controls and unique user identification, authentication, role based access, encryption where appropriate to reduce risk, secure transmission methods, and audit controls appropriate to the environment to detect inappropriate access or exfiltration. Policies for mobile device management, remote access, log retention, and secure configuration reduce exposure from lost devices, unmanaged apps, and insecure networks.
Electronic communication services frequently involve vendors that provide email hosting, messaging platforms, contact center tools, telehealth systems, customer support systems, and archival services, and Business Associate Agreements are required when a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity. Covered entities should define permitted communication uses, retention and archiving requirements, access logging, incident reporting timeframes, and termination and data return or destruction procedures. When an electronic communication is sent to an unauthorized recipient, intercepted, accessed without authorization, or otherwise disclosed in a manner not permitted and the information is unsecured for breach assessment purposes, the HIPAA Breach Notification Rule requires a documented assessment and notifications when required.