Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Does HIPAA Allow Mutual Consent?

What Does the HIPAA Privacy Rule Say About Email, Texting, and Mutual Consent?

The HIPAA Privacy Rule does not explicitly forbid unencrypted email, but it does state that “…other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.”

The Department of Health and Human Services (HHS) has further clarified this by stating that “…covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”

The response goes on to state that covered entities are not responsible for educating individuals about information security, and that all they have to do is notify them that “…there may be some level of risk that the information in the email could be read by a third party.”

If individuals are notified of the risks, but still choose to receive their ePHI through unprotected email, “…covered entities are not responsible for unauthorized access…” from the transmission, nor are they responsible for keeping the data safe once it has been delivered..

Some organizations may see the last line as a loophole that they can use to evade the burdens of HIPAA. Organizations should be aware that using mutual consent to avoid email encryption can actually create more problems than it solves.

Mutual Consent, Patient Waivers, and the Dangers to ePHI

You may think that mutual consent gives your organization a way to circumvent the hassle of securing ePHI communications. Simply have your office staff collect mutual consent waivers from your patients and you are good to go, right? However, the situation is more complicated than that.

We understand that cybersecurity and compliance are challenging, but ignoring them can lead to catastrophe. Patients may not realize it, but their ePHI is powerful. It can include significant amounts of personal information, in addition to a host of their medical details, treatment information, and payment data.

This mix is a recipe for disaster. If ePHI falls into the wrong hands, patient identities could be stolen, their intimate medical details made public, and a range of other cybercrimes could be committed against them.

A breach has the potential to seriously upturn their lives. Even worse, is that it is incredibly easy for this data to fall into the wrong hands. All it takes is an employee mistake and countless patients could have their data compromised. When data isn’t sent securely, all a hacker has to do is intercept it.

Do Patient Waivers and Mutual Consent Really Help Your Organization?

Obtaining mutual consent through patient waivers may allow you to use text messages and insecure email for communicating ePHI. However, sending insecurely creates opportunities for hackers to access sensitive data. Having patients sign mutual consent waivers may protect your organization from a HIPAA violation if a breach occurs, but the long-term consequences of the data exposure remain.

If your patients have their data compromised and spend years trying to combat identity theft, how do you think they will feel? Even if they signed the patient waiver, they may still be angry at your company. Most people don’t understand the dangers of insecure communications, nor do they know how badly a data breach can affect their lives.

Sure, your company could be protected from fines or penalties, but do you really want a bunch of angry patients? While obtaining mutual consent may make it marginally easier to communicate, a breach could ultimately tarnish your reputation.

Mutual Consent: A Legal Gray Area

Mutual consent waivers for insecure ePHI transmission can put your organization in the midst of a legal quagmire. While there does seem to be somewhat of a loophole surrounding mutual consent and insecure communication of ePHI, it is a legal gray area.

Even with a patient waiver, your organization is responsible for determining the level of risk in sending the ePHI, and also the degree of security a particular communication merits. In a HIPAA audit, you would have to show that you adequately addressed the risks with everyone’s best interests in mind.

With the risk to the ePHI and the murky legal waters in mind, we recommend that your organization strongly encourages its patients to exclusively receive their ePHI via encrypted services like LuxSci’s Secure Email and Secure Text. Although patients may not have a deep understanding of technology, you are doing them a favor by enforcing secure communications methods.

Note that this is not legal advice. You should always contact your lawyer for advice on how HIPAA applies specifically to your situation and for clarification on grey areas of the law such as this.

What if Patients Insist on Insecure Email and Texts?

If you have tried to inform your patients of the risks and they insist on receiving ePHI in normal texts or email, proceed with caution before hitting send. You should:

  • Clearly warn the patient of the risks and document the process.
  • Make them sign a form to opt-in, so that you have it in writing.
  • Try to avoid sending highly sensitive information like test results, personal information and payment details. Keep all ePHI transmissions to a minimum, and share as much as possible in person instead.
  • Document each step in your HIPAA risk analysis.
  • Securely archive copies of every email and text, whether it was sent in a secure or insecure manner.
  • Review all of your plans with a lawyer who specializes in HIPAA before sending ePHI over text or email.

It’s important for your organization to keep up-to-date records of signed mutual consent waivers. If it doesn’t, your company could face severe HIPAA penalties. It’s easy to see how mutual consent waivers can become a burden on your office staff. Instead, we recommend adopting secure email and texting for all communication to protect ePHI.