As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they?

Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even more surprised to hear that these restrictions also apply to patient-related communications between them and their colleagues.

As you read this article, remember that each of these requirements applies regardless of communication type—voicemail, text, email, or social media message (collectively referred to as “messages” throughout this post)—or recipient. In other words, these tenets cover all types of messages between patients and providers as well as those between providers and colleagues.

The PT’s Guide to Billing - Regular BannerThe PT’s Guide to Billing - Small Banner

1. Store the messages in the patient’s record.

The Health Insurance Portability and Accountability Act (HIPAA) requires that providers maintain the accuracy and availability of personally-identifiable health information, or protected health information (PHI). Per HIPAA, providers must maintain the confidentiality, integrity, and availability of all PHI that they create, receive, maintain, or transmit (45 CFR § 164.306). It is the provider’s responsibility to ensure that PHI is:

  • not disclosed to unauthorized individuals,
  • not unintentionally altered or destroyed, and
  • accessible and usable on-demand for individuals authorized to view a patient’s PHI (45 CFR § 164.304).

Messages themselves constitute PHI and must be stored in the patient’s record. In fact, all communication with or about a patient’s condition generally constitutes PHI and should be treated as such. Because this is not always possible, many providers aren’t diligent about storing these exchanges in an uncorrupted, accurate, immediate, and original manner in their patients’ records.  However, if such storage is not possible or practicable, the provider should instead avoid the communication method—not avoid compliance.

2. Ask each of your communications vendors to sign your business associate agreement.

Providers are required to execute business associate agreements (BAAs) with all third parties who will encounter PHI, including computer repair companies, telecommunications providers, and other technology vendors. Your HIPAA policies may include a sample BAA, but some vendors prefer to use one created by their own legal department. Before you sign a business associate agreement, be sure you read over it carefully to determine the circumstances under which it will protect your patients’ PHI.  For example, if you use Google Docs to store clinic-related documentation, you’ll note that your Google Business BAA does not extend to Google Voice, which is not a HIPAA-compliant phone and voicemail system. This means you cannot use Google Voice for practice-related communication.

3. Obtain the patient’s written consent for each communication method.

Even if a patient provided you with his or her email address and cell phone number, that doesn’t mean he or she gave you permission to contact him or her that way. Many patients prefer to be contacted at their home phone number in order to avoid disruption during the workday. Others may provide you with their work email address without thinking about how you might use that information, only to become upset when an employer (who has access to the account) learns about their medical conditions. 

When you collect your patients’ contact information, specifically request that they initial the communication methods through which they consent to receiving messages as well as the types of messages they consent to receiving. For example, do they authorize appointment reminders, billing updates, or substantive health-related correspondence? Remember, you risk violating the patient’s trust (and the law!) if you send messages in a manner that exposes PHI to the patient’s spouse, coworkers, or children.

4. Maintain a HIPAA policies and procedures manual.

This post assumes that you maintain sufficient written HIPAA policies and procedures to ensure compliance with your minimum obligations under the law. Those policies address each aspect of HIPAA by describing your organization’s specific practices. Thus, they inform your day-to-day practices, help protect you in the event of an audit, and enable you to build trust with your patients. Compliant HIPAA policies are very detailed and will describe your clinic’s practices for:

  • obtaining patient consent to communication,
  • indicating the form of communication a patient authorizes,
  • allowing the patient to revoke communication authorizations,
  • authorizing third-party communications, and
  • executing business associate agreements with communications and messaging vendors—just to name a few.

Your policy manual will include the form used to obtain patient consent to electronic communication, along with your procedures for ensuring the privacy and security of that communication. Remember to retain all HIPAA-related documentation for at least six years and all patient records for the minimum length of time required by your state laws. You should regularly review—and ensure adherence to—your policy’s requirements for secure communications. This includes doing things like:

5. Regularly evaluate the risk associated with electronic messages.

Your policy manual will also include your most recent risk assessment, during which you (or your attorney):

  • performed an in-depth evaluation of how your practices intersect with various aspects of the privacy laws,
  • surfaced any potential privacy risks, and
  • developed a plan for mitigating those risks.

This documentation (and your adherence to its requirements) will help protect you in the event of a patient data breach or a government audit. Remember to conduct a new risk assessment at least annually, but more frequently if you experience personnel changes or security threats.

Keep in mind that your assessments of risk may evolve over time as your practice grows and technology changes. Critically evaluate the risk associated with your communication methods during each risk assessment, and change your practices if you determine that the security of your patients’ PHI may be in jeopardy.

6. Avoid social media messages.

Social media messaging is one of the least secure means of communication and should generally be avoided, especially to communicate PHI. I cannot imagine a situation in which your risk assessment would determine that social media messages are an appropriate means for communicating about PHI, especially given the availability of free or low-cost email or messaging services that offer heightened (if still imperfect) communication security. To dissuade your patients from engaging in these types of messages, be sure that your social media channels and email footer display appropriate online engagement terms and conditions.

7. Use secure Internet connections.

Always, always use a secure Internet connection when accessing a patient’s PHI! This rule applies to completing EMR documentation, responding to emails, and—yes—texting a patient or colleague about a patient’s health. Steer clear of coffee shop and airplane wireless networks; instead, use only your encrypted networks for these tasks. If you’ll be away from a secure connection for an extended period of time, schedule an auto-response message and ask a colleague to respond to messages from a secure setting on your behalf.

8. Know your financial risk, because the penalties are massive.

Providers who violate these rules may be subject to government-imposed fines of up to $50,000 per day—and this doesn’t even include the civil penalties that might be assessed by the individual patients who file lawsuits against the practice. Each year, regulators step up enforcement efforts against providers, and privacy audits often uncover a myriad of noncompliant activities when a practice lacks a legally sufficient privacy policy.

9. Call your attorney immediately if you send a message to the wrong person.

When a breach affects 500 or more patients, it must be reported, regardless of the cause. However, even if a breach affects a single patient, there’s a good chance the breach will need to be reported and that you will need to submit to an investigation (HITECH Act, 42 U.S.C. 17921(1)(A)).

10. Scrutinize third-party patient messaging apps for HIPAA compliance.

This seems counterintuitive at first—why would an app created to ensure secure patient messaging not be HIPAA-compliant? There are two main reasons this might be true:

  1. HIPAA compliance can be expensive (just consider the cost of your HIPAA policies, implementation guidance, and risk assessments), and
  2. those who create these apps often are not healthcare providers themselves. Unless they hire a healthcare attorney, they may be unaware of the complexity, nuance, and stringency of HIPAA law.

In this day and age, there are a lot of different ways for healthcare providers to communicate with their patients. But, some come with more legal risk than others, and it pays—literally—to understand, and guard against, that risk. What communication methods work best for you and your patients? Let us know in the comment section below.

Connor D. Jackson is a Chicago healthcare attorney with Jackson LLP. Connor works primarily with small physical therapy practices and regularly advises his clients about HIPAA compliance, scope of practice, liability concerns, privacy obligations, and new practice formation. Connor enjoys working with clients to create their ideal practice environment and to quell their compliance concerns. As a former litigator, Connor understands the financial and emotional cost of litigation, and he collaborates with his clients to minimize the risk of getting sued. You can email Connor at or follow him on Twitter at @cjacksonESQ.



  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • How the Affordable Care Act Impacts Patient Payment Collection Image

    articleMay 16, 2016 | 5 min. read

    How the Affordable Care Act Impacts Patient Payment Collection

    You take the good; you take the bad. You take ’em both, and you have healthcare reform. Like most government-led initiatives, healthcare reform in general—and the Affordable Care Act (ACA) in particular—has inspired a lot of passionate debate. And that’s because, while it has expanded health coverage to millions of previously uninsured people (woo-hoo!), it also has given way to some less-than-positive consequences. One such effect: the trend toward increased patient financial responsibility (whomp, whomp). Out-of-Pocket Overload …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

  • Common Questions from our State of Rehab Therapy Webinar Image

    articleJul 17, 2017 | 16 min. read

    Common Questions from our State of Rehab Therapy Webinar

    WebPT recently conducted an industry survey of thousands of rehab therapy professionals across a wide variety of settings, specialties, and geographic regions. Our goal: To capture an accurate snapshot of the demographics, trends, frustrations, and motivations that shape our businesses, our future outlook, and our potential for success in this environment of change. In last week’s webinar , WebPT President and Co-Founder Dr. Heidi Jannenga, PT, DPT, ATC/L, and WebPT CEO Nancy Ham shared the results of …

  • The PT Patient's Guide to Understanding Insurance Image

    downloadApr 3, 2017

    The PT Patient's Guide to Understanding Insurance

    Patients are shouldering a greater portion of their healthcare costs than ever before. But when they don’t know the specifics of their coverage, they can end up with much bigger bills than they bargained for—and that often leads to unpaid balances and unfinished treatment plans. Bring them up to speed—and improve your practice’s collections and patient retention—with this guide. Patients will learn: What it means for a service to be “covered.” How to define common insurance terms. …

  • Common Questions from our Cloudy with a Chance of Reform Webinar Image

    articleFeb 13, 2017 | 13 min. read

    Common Questions from our Cloudy with a Chance of Reform Webinar

    In our first webinar of 2017 , WebPT’s co-founder and president, Heidi Jannenga, teamed up with CEO Nancy Ham to discuss the current and future healthcare trends that will impact PTs, OTs, and SLPs. (Missed it? No worries; you can view the complete recording here .) As always, we received quite a few questions during the presentation—way more than we could address live. So, we’ve put them all here, in one handy Q&A doc. Scroll through and …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.