Are Prescription Notifications HIPAA-Compliant?

December 14th, 2021

It is common to receive calls and text messages from pharmacies, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. Have you ever wondered if these prescription notifications are HIPAA-compliant?

Just because every pharmacy seems to send them, it doesn’t mean that they are aware of the compliance requirements. Let’s look into the context and learn how to securely remind patients of prescription refills and appointments.

prescription notifications hipaa compliant

IS A PRESCRIPTION NOTICE OR APPOINTMENT REMINDER REALLY PHI?

First of all, it’s worth discussing if a prescription reminder even counts as protected health information, or PHI. In many cases, a prescription notice or an appointment reminder is PHI. Let’s look at a simple definition: PHI is health-related information that is individually identifiable. Prescription notifications and appointment reminders contain identifying information as they are coming to your cell phone or email address. Those are explicit unique identifiers under HIPAA.

Health-related information includes information about the “future provisioning of healthcare” (an appointment reminder) and also “present medical conditions or care” (a prescription notification).

So, yes. In most cases, these notices are PHI.

However, HIPAA and ePHI are famously vague and open to interpretation. An excessively generic message may not be considered ePHI. For example: “You have a prescription ready for pick up at CVS.” This is about your current medical care, but it is so generic it says nothing other than that you are under medical treatment for something. It is technically PHI, but might be vague enough to escape scrutiny.

It’s easy for this message to become PHI. If the message ended with something like “pick up at the Acme Cancer Clinic” instead of “at CVS,” then any reasonable person would understand that the message was intended for someone with cancer. Therefore, it disclosed information about that person’s medical condition in violation of HIPAA.

IS SENDING PRESCRIPTION NOTIFICATION MESSAGES PERMITTED?

Many government organizations have weighed in on sending these notices. Reading through them can be confusing. Here is a simple breakdown of some of the major areas:

  1. The notices are not “marketing messages.” The government has issued guidance that exempts communications about prescriptions reminders from being considered “marketing” for the drugs in question. This gives healthcare facilities greater flexibility in communicating this information to patients and allows for them to disclose prescription information to third parties as needed for this process (e.g. to CVS). This guidance removes one obstacle in sending the notices: the laws against encouraging patients to buy specific drugs.
  2. The FCC allows it. The FCC (Federal Communications Commission) has many rules about what kinds of communications are allowed and which are restricted. For example, the CAN-SPAM Act forbids the sending of unsolicited email. They also have rules about robocalls and texts that restrict an organization from calling, faxing, or texting to solicit business unless that person has given prior express consent to be contacted. The FCC exempts healthcare-related messages from these restrictions.
  3. HIPAA allows it. HIPAA’s Privacy Rule permits providers to communicate with patients regarding their healthcare.

So, yes, you can send appointment reminders, prescription notices, and similar messages. You do not need the patient’s prior consent to send the message and you will not get in trouble with the government because you are sending the message.

THE BIG QUESTION: HOW CAN I SEND HIPAA-COMPLIANT PRESCRIPTION NOTIFICATIONS?

Just because you are permitted to send a message, does not mean that you are free to choose any method of delivery.

For a long time, it has been okay to send these messages via postal mail and phone calls. Back in 2002, the government issued guidance about this very topic and confirmed it is okay to send phone call reminders. Even messages left on answering machines are okay. However, it depends on how much information is divulged in the message. It’s best to keep those messages relatively generic to avoid issues. You never know who could be listening!

Today, most people prefer to be contacted via email or text message because of the widespread adoption of mobile devices. These types of messages are clearly electronic and thus fall squarely under HIPAA’s Security Rule and are subject to its requirements for encryption, authentication, etc.

Combining what we have learned, text message and email message notices and requests can be sent without the recipients’ prior authorization as long as these messages are properly secured according to the HIPAA Security Rule. This means no insecure emails or regular text messages. It does mean encryption, recipient identity verification, logging, and all the trappings of HIPAA compliance. Review our HIPAA Email Checklist if you need a refresher on how to secure email communications.

Patient Waivers and Mutual Consent

You can get around the need for encryption by having patients sign waivers acknowledging the risk. HIPAA allows patients to give consent to receive insecure messages. However, they must be advised on the risks involved and informed if a (secure) alternative is available. This is called “Mutual Consent.”

It’s possible that before you started receiving text messages from your pharmacy, that you had to check a box or otherwise give consent to receive insecure text messages. This is an example of a mutual consent agreement. To the extent that they provide good alternatives to insecure texting, provide sufficient training to the patient on the risks of insecure messages, and otherwise meet all of the facets of mutual consent, it is complicated, nuanced, and really, really a gray legal area.

Mutual consent waivers work, but we wouldn’t recommend them. It requires keeping careful track of exactly who has given consent, withdrawn it, and not opted in. Maintaining this system can be time-consuming and as you can imagine, is easy to mess up.

WHAT SHOULD YOU DO IF YOU WISH TO SEND HIPAA-COMPLIANT PRESCRIPTION NOTIFICATIONS AND REMINDERS?

The best way to send HIPAA-compliant prescription notifications is by adopting a secure email and/or secure texting solution for all communications with your patients. By opting for a secure solution, you never have to wonder if a message contains PHI or not. You never have to keep mutual consent logs or worry about errors causing a breach. By opting for a compliant solution, you are reducing your risk and protecting sensitive patient data.