As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they?

Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even more surprised to hear that these restrictions also apply to patient-related communications between them and their colleagues.

As you read this article, remember that each of these requirements applies regardless of communication type—voicemail, text, email, or social media message (collectively referred to as “messages” throughout this post)—or recipient. In other words, these tenets cover all types of messages between patients and providers as well as those between providers and colleagues.

1. Store the messages in the patient’s record.

The Health Insurance Portability and Accountability Act (HIPAA) requires that providers maintain the accuracy and availability of personally-identifiable health information, or protected health information (PHI). Per HIPAA, providers must maintain the confidentiality, integrity, and availability of all PHI that they create, receive, maintain, or transmit (45 CFR § 164.306). It is the provider’s responsibility to ensure that PHI is:

  • not disclosed to unauthorized individuals,
  • not unintentionally altered or destroyed, and
  • accessible and usable on-demand for individuals authorized to view a patient’s PHI (45 CFR § 164.304).

Messages themselves constitute PHI and must be stored in the patient’s record. In fact, all communication with or about a patient’s condition generally constitutes PHI and should be treated as such. Because this is not always possible, many providers aren’t diligent about storing these exchanges in an uncorrupted, accurate, immediate, and original manner in their patients’ records.  However, if such storage is not possible or practicable, the provider should instead avoid the communication method—not avoid compliance.

2. Ask each of your communications vendors to sign your business associate agreement.

Providers are required to execute business associate agreements (BAAs) with all third parties who will encounter PHI, including computer repair companies, telecommunications providers, and other technology vendors. Your HIPAA policies may include a sample BAA, but some vendors prefer to use one created by their own legal department. Before you sign a business associate agreement, be sure you read over it carefully to determine the circumstances under which it will protect your patients’ PHI.  For example, if you use Google Docs to store clinic-related documentation, you’ll note that your Google Business BAA does not extend to Google Voice, which is not a HIPAA-compliant phone and voicemail system. This means you cannot use Google Voice for practice-related communication.

3. Obtain the patient’s written consent for each communication method.

Even if a patient provided you with his or her email address and cell phone number, that doesn’t mean he or she gave you permission to contact him or her that way. Many patients prefer to be contacted at their home phone number in order to avoid disruption during the workday. Others may provide you with their work email address without thinking about how you might use that information, only to become upset when an employer (who has access to the account) learns about their medical conditions. 

When you collect your patients’ contact information, specifically request that they initial the communication methods through which they consent to receiving messages as well as the types of messages they consent to receiving. For example, do they authorize appointment reminders, billing updates, or substantive health-related correspondence? Remember, you risk violating the patient’s trust (and the law!) if you send messages in a manner that exposes PHI to the patient’s spouse, coworkers, or children.

4. Maintain a HIPAA policies and procedures manual.

This post assumes that you maintain sufficient written HIPAA policies and procedures to ensure compliance with your minimum obligations under the law. Those policies address each aspect of HIPAA by describing your organization’s specific practices. Thus, they inform your day-to-day practices, help protect you in the event of an audit, and enable you to build trust with your patients. Compliant HIPAA policies are very detailed and will describe your clinic’s practices for:

  • obtaining patient consent to communication,
  • indicating the form of communication a patient authorizes,
  • allowing the patient to revoke communication authorizations,
  • authorizing third-party communications, and
  • executing business associate agreements with communications and messaging vendors—just to name a few.

Your policy manual will include the form used to obtain patient consent to electronic communication, along with your procedures for ensuring the privacy and security of that communication. Remember to retain all HIPAA-related documentation for at least six years and all patient records for the minimum length of time required by your state laws. You should regularly review—and ensure adherence to—your policy’s requirements for secure communications. This includes doing things like:

5. Regularly evaluate the risk associated with electronic messages.

Your policy manual will also include your most recent risk assessment, during which you (or your attorney):

  • performed an in-depth evaluation of how your practices intersect with various aspects of the privacy laws,
  • surfaced any potential privacy risks, and
  • developed a plan for mitigating those risks.

This documentation (and your adherence to its requirements) will help protect you in the event of a patient data breach or a government audit. Remember to conduct a new risk assessment at least annually, but more frequently if you experience personnel changes or security threats.

Keep in mind that your assessments of risk may evolve over time as your practice grows and technology changes. Critically evaluate the risk associated with your communication methods during each risk assessment, and change your practices if you determine that the security of your patients’ PHI may be in jeopardy.

6. Avoid social media messages.

Social media messaging is one of the least secure means of communication and should generally be avoided, especially to communicate PHI. I cannot imagine a situation in which your risk assessment would determine that social media messages are an appropriate means for communicating about PHI, especially given the availability of free or low-cost email or messaging services that offer heightened (if still imperfect) communication security. To dissuade your patients from engaging in these types of messages, be sure that your social media channels and email footer display appropriate online engagement terms and conditions.

7. Use secure Internet connections.

Always, always use a secure Internet connection when accessing a patient’s PHI! This rule applies to completing EMR documentation, responding to emails, and—yes—texting a patient or colleague about a patient’s health. Steer clear of coffee shop and airplane wireless networks; instead, use only your encrypted networks for these tasks. If you’ll be away from a secure connection for an extended period of time, schedule an auto-response message and ask a colleague to respond to messages from a secure setting on your behalf.

8. Know your financial risk, because the penalties are massive.

Providers who violate these rules may be subject to government-imposed fines of up to $50,000 per day—and this doesn’t even include the civil penalties that might be assessed by the individual patients who file lawsuits against the practice. Each year, regulators step up enforcement efforts against providers, and privacy audits often uncover a myriad of noncompliant activities when a practice lacks a legally sufficient privacy policy.

9. Call your attorney immediately if you send a message to the wrong person.

When a breach affects 500 or more patients, it must be reported, regardless of the cause. However, even if a breach affects a single patient, there’s a good chance the breach will need to be reported and that you will need to submit to an investigation (HITECH Act, 42 U.S.C. 17921(1)(A)).

10. Scrutinize third-party patient messaging apps for HIPAA compliance.

This seems counterintuitive at first—why would an app created to ensure secure patient messaging not be HIPAA-compliant? There are two main reasons this might be true:

  1. HIPAA compliance can be expensive (just consider the cost of your HIPAA policies, implementation guidance, and risk assessments), and
  2. those who create these apps often are not healthcare providers themselves. Unless they hire a healthcare attorney, they may be unaware of the complexity, nuance, and stringency of HIPAA law.

In this day and age, there are a lot of different ways for healthcare providers to communicate with their patients. But, some come with more legal risk than others, and it pays—literally—to understand, and guard against, that risk. What communication methods work best for you and your patients? Let us know in the comment section below.

Connor D. Jackson is a Chicago healthcare attorney with Jackson LLP. Connor works primarily with small physical therapy practices and regularly advises his clients about HIPAA compliance, scope of practice, liability concerns, privacy obligations, and new practice formation. Connor enjoys working with clients to create their ideal practice environment and to quell their compliance concerns. As a former litigator, Connor understands the financial and emotional cost of litigation, and he collaborates with his clients to minimize the risk of getting sued. You can email Connor at or follow him on Twitter at @cjacksonESQ.