As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they?

Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even more surprised to hear that these restrictions also apply to patient-related communications between them and their colleagues.

As you read this article, remember that each of these requirements applies regardless of communication type—voicemail, text, email, or social media message (collectively referred to as “messages” throughout this post)—or recipient. In other words, these tenets cover all types of messages between patients and providers as well as those between providers and colleagues.

The PT’s Guide to Software Implementation and Training - Regular BannerThe PT’s Guide to Software Implementation and Training - Small Banner

1. Store the messages in the patient’s record.

The Health Insurance Portability and Accountability Act (HIPAA) requires that providers maintain the accuracy and availability of personally-identifiable health information, or protected health information (PHI). Per HIPAA, providers must maintain the confidentiality, integrity, and availability of all PHI that they create, receive, maintain, or transmit (45 CFR § 164.306). It is the provider’s responsibility to ensure that PHI is:

  • not disclosed to unauthorized individuals,
  • not unintentionally altered or destroyed, and
  • accessible and usable on-demand for individuals authorized to view a patient’s PHI (45 CFR § 164.304).

Messages themselves constitute PHI and must be stored in the patient’s record. In fact, all communication with or about a patient’s condition generally constitutes PHI and should be treated as such. Because this is not always possible, many providers aren’t diligent about storing these exchanges in an uncorrupted, accurate, immediate, and original manner in their patients’ records.  However, if such storage is not possible or practicable, the provider should instead avoid the communication method—not avoid compliance.

2. Ask each of your communications vendors to sign your business associate agreement.

Providers are required to execute business associate agreements (BAAs) with all third parties who will encounter PHI, including computer repair companies, telecommunications providers, and other technology vendors. Your HIPAA policies may include a sample BAA, but some vendors prefer to use one created by their own legal department. Before you sign a business associate agreement, be sure you read over it carefully to determine the circumstances under which it will protect your patients’ PHI.  For example, if you use Google Docs to store clinic-related documentation, you’ll note that your Google Business BAA does not extend to Google Voice, which is not a HIPAA-compliant phone and voicemail system. This means you cannot use Google Voice for practice-related communication.

3. Obtain the patient’s written consent for each communication method.

Even if a patient provided you with his or her email address and cell phone number, that doesn’t mean he or she gave you permission to contact him or her that way. Many patients prefer to be contacted at their home phone number in order to avoid disruption during the workday. Others may provide you with their work email address without thinking about how you might use that information, only to become upset when an employer (who has access to the account) learns about their medical conditions. 

When you collect your patients’ contact information, specifically request that they initial the communication methods through which they consent to receiving messages as well as the types of messages they consent to receiving. For example, do they authorize appointment reminders, billing updates, or substantive health-related correspondence? Remember, you risk violating the patient’s trust (and the law!) if you send messages in a manner that exposes PHI to the patient’s spouse, coworkers, or children.

4. Maintain a HIPAA policies and procedures manual.

This post assumes that you maintain sufficient written HIPAA policies and procedures to ensure compliance with your minimum obligations under the law. Those policies address each aspect of HIPAA by describing your organization’s specific practices. Thus, they inform your day-to-day practices, help protect you in the event of an audit, and enable you to build trust with your patients. Compliant HIPAA policies are very detailed and will describe your clinic’s practices for:

  • obtaining patient consent to communication,
  • indicating the form of communication a patient authorizes,
  • allowing the patient to revoke communication authorizations,
  • authorizing third-party communications, and
  • executing business associate agreements with communications and messaging vendors—just to name a few.

Your policy manual will include the form used to obtain patient consent to electronic communication, along with your procedures for ensuring the privacy and security of that communication. Remember to retain all HIPAA-related documentation for at least six years and all patient records for the minimum length of time required by your state laws. You should regularly review—and ensure adherence to—your policy’s requirements for secure communications. This includes doing things like:

5. Regularly evaluate the risk associated with electronic messages.

Your policy manual will also include your most recent risk assessment, during which you (or your attorney):

  • performed an in-depth evaluation of how your practices intersect with various aspects of the privacy laws,
  • surfaced any potential privacy risks, and
  • developed a plan for mitigating those risks.

This documentation (and your adherence to its requirements) will help protect you in the event of a patient data breach or a government audit. Remember to conduct a new risk assessment at least annually, but more frequently if you experience personnel changes or security threats.

Keep in mind that your assessments of risk may evolve over time as your practice grows and technology changes. Critically evaluate the risk associated with your communication methods during each risk assessment, and change your practices if you determine that the security of your patients’ PHI may be in jeopardy.

6. Avoid social media messages.

Social media messaging is one of the least secure means of communication and should generally be avoided, especially to communicate PHI. I cannot imagine a situation in which your risk assessment would determine that social media messages are an appropriate means for communicating about PHI, especially given the availability of free or low-cost email or messaging services that offer heightened (if still imperfect) communication security. To dissuade your patients from engaging in these types of messages, be sure that your social media channels and email footer display appropriate online engagement terms and conditions.

7. Use secure Internet connections.

Always, always use a secure Internet connection when accessing a patient’s PHI! This rule applies to completing EMR documentation, responding to emails, and—yes—texting a patient or colleague about a patient’s health. Steer clear of coffee shop and airplane wireless networks; instead, use only your encrypted networks for these tasks. If you’ll be away from a secure connection for an extended period of time, schedule an auto-response message and ask a colleague to respond to messages from a secure setting on your behalf.

8. Know your financial risk, because the penalties are massive.

Providers who violate these rules may be subject to government-imposed fines of up to $50,000 per day—and this doesn’t even include the civil penalties that might be assessed by the individual patients who file lawsuits against the practice. Each year, regulators step up enforcement efforts against providers, and privacy audits often uncover a myriad of noncompliant activities when a practice lacks a legally sufficient privacy policy.

9. Call your attorney immediately if you send a message to the wrong person.

When a breach affects 500 or more patients, it must be reported, regardless of the cause. However, even if a breach affects a single patient, there’s a good chance the breach will need to be reported and that you will need to submit to an investigation (HITECH Act, 42 U.S.C. 17921(1)(A)).

10. Scrutinize third-party patient messaging apps for HIPAA compliance.

This seems counterintuitive at first—why would an app created to ensure secure patient messaging not be HIPAA-compliant? There are two main reasons this might be true:

  1. HIPAA compliance can be expensive (just consider the cost of your HIPAA policies, implementation guidance, and risk assessments), and
  2. those who create these apps often are not healthcare providers themselves. Unless they hire a healthcare attorney, they may be unaware of the complexity, nuance, and stringency of HIPAA law.

In this day and age, there are a lot of different ways for healthcare providers to communicate with their patients. But, some come with more legal risk than others, and it pays—literally—to understand, and guard against, that risk. What communication methods work best for you and your patients? Let us know in the comment section below.

Connor D. Jackson is a Chicago-based healthcare attorney with Jackson LLP Healthcare Lawyers. Connor works with small physical therapy practices and regularly advises his clients about corporate and compliance matters, including HIPAA, the False Claims Act, Medicare, and scope of practice. Connor enjoys working with clients to create their ideal practice environment and to quell their compliance concerns. As a former litigator, Connor understands the financial and emotional cost of litigation, and he collaborates with his clients to minimize the risk of getting sued. You can email Connor at or follow him on Twitter at @cjacksonESQ.



  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice? Image

    articleOct 4, 2019 | 6 min. read

    Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice?

    I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information. And perhaps you’ve wondered if the rule applies to your practice, but you haven’t had time to look into it. Lucky for you, WebPT has created this handy FAQ to educate you about the California Consumer Privacy …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

  • How to Deal with a Patient Data Breach (and Avoid One in the First Place) Image

    articleOct 15, 2019 | 7 min. read

    How to Deal with a Patient Data Breach (and Avoid One in the First Place)

    With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached.  The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult.  Do not place your …

  • Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements Image

    articleOct 10, 2019 | 6 min. read

    Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements

    Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.  No …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • How the Affordable Care Act Impacts Patient Payment Collection Image

    articleMay 16, 2016 | 5 min. read

    How the Affordable Care Act Impacts Patient Payment Collection

    You take the good; you take the bad. You take ’em both, and you have healthcare reform. Like most government-led initiatives, healthcare reform in general—and the Affordable Care Act (ACA) in particular—has inspired a lot of passionate debate. And that’s because, while it has expanded health coverage to millions of previously uninsured people (woo-hoo!), it also has given way to some less-than-positive consequences. One such effect: the trend toward increased patient financial responsibility (whomp, whomp). Out-of-Pocket Overload …

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.