There was an interesting discussion in the Medicare group that I thought I would share with everyone regarding being a covered entity(CE) and using email and text to patients.
My question: if the patient gives written and signed authorization to use PHI in communication with them (ex. texts, emails, etc) and the patient is fully aware of the risks, is this allowed or is this still a violation of the rule? The rule states, “a CE may only use or disclose PHI if either (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information provides a written authorization”
Nancy Beckley (a very credible resource) responded: Yes, You are correct, but us compliance folks like to go to the source 🙂
also, Lawyer Kim Stanger gives a multidimensional answer on his blog that you may find helpful:
Here is your answer for many of you in a cash based practice, who want to use texting and email to communicate to your patients.
This will help a lot of you get some clarity on this topic.
Hope it helps