Does HIPAA really permit reminding patients to pick up their prescriptions?
We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?
The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.
Is it really PHI?
A prescription notice or an appointment reminder is PHI in many cases. From the definition of PHI, it is, succinctly, health-related information that is identifiable. Clearly, these are messages identifiable as they are coming to your phone (phone number) or email address… and those are explicit identifiers under HIPAA. “Medical information” relates to information about the “future provisioning of healthcare” (which is what an appointment reminder is) and also about “present medical conditions or care” (which a prescription notice would be).
So, yes. In most cases, these notices are PHI.
The grey area would be a message that is excessively generic. For example: “You have a prescription ready for pick up at CVS.” This is about your current medical care … but it is so generic it says nothing other than that you are under medical treatment for something. It is technically PHI, but might slide. If the message instead ended with something like “… pick up at the Acme AIDs Clinic” instead of “at CVS” … then there would not be any gray area at all.
Is sending these messages permitted?
Many people and government organizations have had a lot to say about sending these notices. Reading through them can be confusing. Here is a simple breakdown of some of the major areas:
- The notices are not “marketing messages.” The government has guidance that exempts communications about prescriptions reminders from being considered “marketing” for the drugs in question. This gives healthcare facilities greater flexibility in communicating this information to patients and allows for them to disclose prescription information to third parties as needed for this process (e.g. to CVS). This guidance removes 1 obstacle in sending the notices: the laws against encouraging patients to buy specific drugs.
- The FCC allows it. The FCC (Federal Communications Commission) has many rules about what kinds of communications are allowed and which are restricted. E.g. sending unsolicited email is restricted by the CAN-SPAM act. They also have rules about robot-calls and texts — restricting an organization from calling, faxing, or texting to solicit business unless that person has given prior express consent to be contacted. The FCC exempts healthcare-related messages from these restrictions.
- HIPAA allows it. HIPAA’s Privacy rule permits providers to communicate with patients regarding their healthcare.
So — it is permitted to send patients appointment reminders, prescription notices, and the like. It is permitted in the sense that you do not need the patient’s prior consent to send the message and you will not get in trouble with the government because you are sending the message.
The big question: How can I send them?
Just because you are permitted to send message … does not mean that you are free to choose any method of delivery.
For a long time, it has been OK to send these messages via postal mail and phone message (which is not yet considered form or electronic communication — go figure). Back in 2002, the government issued guidance about this very topic and we still can get phone call reminders today, and that seems to be fine. Even messages left on answering machines are considered OK (though that seems to be a gray area to me … like sending FAXes is).
What people really want are email and text message notices and reminders. These types of messages are clearly electronic and thus fall squarely under HIPAA’s Security Rule and its requirements for encryption, authentication, etc.
Combining what we have learned, text message and email message notices and requests can be sent without the recipients’ prior authorization as long as these messages are properly secured according to the HIPAA Security Rule. This means … no insecure emails or regular text messages. It does mean encryption, recipient identity verification, logging, and all the trappings of HIPAA compliance.
You can get around the need for encryption. HIPAA permits patients to consent to receive insecure messages if they have been advised on the risks involved and if a (secure) alternative is available. This is called “Mutual Consent“.
You may notice, that before you start getting text-message notices from CVS, you had to approve that it is OK. This is their “mutual consent” agreement. To the extent that they provide good alternatives to insecure texting, provide sufficient training to the patient on the risks of insecure messages, and otherwise meet all of the facets of mutual consent … that is complicated, nuanced, and really, really a gray area.
What should you do if you wish to send notices and reminders?
Be sure to invest in a secure email and/or secure text solution for communicating with your patients. These are inexpensive and easy to use, so the bar is low enough that there is no excuse under HIPAA for not using them. Be sure that you follow the best practices for consent if you wish to send insecure notices. And finally, be sure that you are keeping your own HIPAA-compliance up-to-date with yearly reviews, risk analyses, etc.
- SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.
- To Text or Not To Text: Texting under HIPAA
- How to Setup HIPAA Mutual Consent for Insecure Email at LuxSci
- HIPAA Compliance is Needed for Emailed Appointment Reminders
- Press Release: How To Text and Remain HIPAA-compliant