Texting Patients Is OK Under HIPAA, as long as you…

OCR Director Severino Makes Policy from the Podium

Speaking at the HIMSS health IT conference in Las Vegas on Tuesday, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.

In 2013, the HIPAA Omnibus Final Rule allowed healthcare providers to communicate Electronic Protected Health Information (ePHI) with patients through unencrypted e-mail, if the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent.

A HIMSS audience member asked Severino why the OCR hasn’t issued similar guidance for text messaging with patients. “I don’t see a difference,” Severino said. “I think it’s empowering the patient, making sure that their data is as accessible as possible in the way they want to receive it, and that’s what we want to do.”

“Wow! That’s a big change,” said Tom Leary, Vice President of Government Relations for HIMSS. “That’s wonderful. Actually, the physician community has been clamoring for clarification on that for several years now. Our physician community will be very supportive of that.”

The 2013 OCR guidance for e-mails,  and Severino’s announcement about text messages, only applies to communications with patients. All HIPAA Covered Entities and Business Associates are still forbidden to use unsecure communications tools to communicate with each other.

Messages sent through free e-mail services are not private. Google’s Gmail Terms of Service, allow Google to “use…reproduce…communicate, publish…publicly display and distribute” your e-mail messages. Health care providers must use encrypted e-mail or secure e-mail systems to communicate ePHI outside of their organizations.

In 2012, a small medical practice was penalized $ 100,000 for sharing patient information through free Internet services, including e-mail.  According to the resolution agreement, Phoenix Cardiac Surgery “daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.”

While the OCR may be best-known for its HIPAA enforcement, it has pushed healthcare organizations to lower barriers that have prevented patients from obtaining their medical records. The Omnibus Rule required health care providers to only recover actual costs when providing patients with copies of their records.

In its 2016 guidance, the OCR set a $ 6.50 limit (inclusive of all labor, supplies, and postage) for health care providers “that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.”

The federal requirement to recover actual costs, or a flat fee of $ 6.50, supersedes state laws that allowed providers to charge for medical record searches and per-page fees. Maine caps the cost at $ 250 for a medical record, far above the federal $ 6.50 flat fee.


About the author

Mike Semel

Mike Semel

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.


  • The conclusion is don’t use unencrypted communication tools when sending PHI. What was so hard about that?

  • Although HIPAA allows CMS has sent emails to at least two hospitals saying that “texting is not permitted” and that includes secure text messaging applications.

    Source: Report on Medicare Compliance Volume 26 Issue 45 December 18, 2017

  • Barry-

    Thanks for your comment.

    While what you said may seem logical to an IT security professional, your approach could get your organization into a lot of trouble.

    Remember that the HIPAA enforcement agency is called the Office for CIVIL RIGHTS. The government believes that it is a person’s CIVIL RIGHT to have their data protected, and to have access to their health information.

    When the OCR approved sending e-mail, and now text messages, to patients who consent even though they know the systems are not secure, if you refuse you are VIOLATING THE PATIENT’S CIVIL RIGHTS. The OCR takes a very strict approach to creating obstacles to patients accessing their health information.

    Mike Semel

  • Kimberly-

    You are right. In December, 2017, I said the same thing, because the OCR had never issued its long-promised guidance on texting with patients.

    But, as of yesterday, the OCR has changed its position, saying texting with patients is permitted.

    In December, 2012, sending e-mails to patients’ free e-mail accounts was not allowed. A month later is was permitted, based on the release of the HIPAA Omnibus Final Rule.

    CMS and the ONC require compliance with HIPAA, but it is the OCR that sets HIPAA policy and issues guidance. It may take some time to ripple through to other organizations, even departments within the same agency.

    Mike Semel

  • Mike –

    Thank you for clarifying things for all of us. Inconsistencies between agencies adds to the confusion.

Click here to post a comment